[Snort-users] ssh: Protocol mismatch

Griffin, Chris Andrew (Chris) cg58 at ...14468...
Mon Dec 7 14:31:43 EST 2009


	I just re-activated my sensor after a period of inactivity (mysql db machine was down).  Preprocessors are enabled including the (experimental?) ssh preprocessor.

preprocessor ssh: server_ports { 22 } \
                  max_client_bytes 19600 \
                  max_encrypted_packets 20 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch

	I started two SSH2 sessions from a HOME_NET Windows XP PC (Secure CRT 4.0.1) to the Slackware 12.1 system running snort (Version (Build 114)).  It is OpenSSH_5.1p1 forcing "Protocol 2".

	I ended up getting 194 alerts labeled "ssh: Protocol mismatch".  As far as I know my connection was a "clean" two-way traffic exchange.  All the alerts are pertaining to the SSH Client -> SSH Server packets, though this makes some sense considering what I read about the protocol mismatch.  I tried another session from a !HOME_NET PC with another "clean" session and before I typed anything at the command prompt I had 58 alerts.

	The odd thing is I wouldn't expect a protocol mismatch to be triggered in this case?  I can't find much in the docs about how this alert works, but from what I gather it's when a non-SSH packet is sent to an SSH server on SSH_PORT (22)?  Also README.ssh says "The Secure CRT and protocol mismatch exploits are observable before the key exchange." but I believe a lot of the packets triggering this alert may not be before the key exchange, but I'm definitely no SSH expert.

Thoughts?  Does this sound like a problem? or do I misunderstand how this works?

Chris Griffin

More information about the Snort-users mailing list