[Snort-users] ssh: Protocol mismatch

Ryan Jordan ryan.jordan at ...1935...
Wed Dec 16 11:56:46 EST 2009


I know this is delayed, I haven't been trolling snort-users as much lately.

"Protocol Mismatch" should be alerting when the version strings for your SSH
Client and Server don't match up. This is intended to happen in the
following situations:

- SSH1 client connecting to an SSH2 server
- SSH2 client connecting to an SSH1 server
- A non-SSH client connecting to an SSH server.

As of Snort 2.8.5.1, there's a bug where turning on "autodetect" in your SSH
config will give you a lot of "Protocol Mismatch" false positives. This will
be fixed in the next release. However, I didn't see "autodetect" enabled in
Chris' pasted config.

Chris, I'm not really sure how you managed to generate so many alerts. I can
tell you that the only real exploit "Protocol Mismatch" alerts on is some
old Cisco server vuln*. Other than that, it's just anomaly detection. If
it's too noisy, you ought to be fine turning it off.

-Ryan

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0080

On Mon, Dec 7, 2009 at 3:43 PM, Eoin Miller <
eoin.miller at ...14586...> wrote:

> FYI, I've seen the same thing happens when using PuTTY as a client from
> a windows box.
>
> -- Eoin
>
> Griffin, Chris Andrew (Chris) wrote:
> > Guys,
> >
> >       I just re-activated my sensor after a period of inactivity (mysql
> db machine was down).  Preprocessors are enabled including the
> (experimental?) ssh preprocessor.
> >
> > preprocessor ssh: server_ports { 22 } \
> >                   max_client_bytes 19600 \
> >                   max_encrypted_packets 20 \
> >                   enable_respoverflow enable_ssh1crc32 \
> >                   enable_srvoverflow enable_protomismatch
> >
> >
> >       I started two SSH2 sessions from a HOME_NET Windows XP PC (Secure
> CRT 4.0.1) to the Slackware 12.1 system running snort (Version 2.8.5.1
> (Build 114)).  It is OpenSSH_5.1p1 forcing "Protocol 2".
> >
> >       I ended up getting 194 alerts labeled "ssh: Protocol mismatch".  As
> far as I know my connection was a "clean" two-way traffic exchange.  All the
> alerts are pertaining to the SSH Client -> SSH Server packets, though this
> makes some sense considering what I read about the protocol mismatch.  I
> tried another session from a !HOME_NET PC with another "clean" session and
> before I typed anything at the command prompt I had 58 alerts.
> >
> >       The odd thing is I wouldn't expect a protocol mismatch to be
> triggered in this case?  I can't find much in the docs about how this alert
> works, but from what I gather it's when a non-SSH packet is sent to an SSH
> server on SSH_PORT (22)?  Also README.ssh says "The Secure CRT and protocol
> mismatch exploits are observable before the key exchange." but I believe a
> lot of the packets triggering this alert may not be before the key exchange,
> but I'm definitely no SSH expert.
> >
> >
> > Thoughts?  Does this sound like a problem? or do I misunderstand how this
> works?
> >
> >
> >
> >
> > Chris Griffin
> >
> >
> >
> ------------------------------------------------------------------------------
> > Join us December 9, 2009 for the Red Hat Virtual Experience,
> > a free event focused on virtualization and cloud computing.
> > Attend in-depth sessions from your desk. Your couch. Anywhere.
> > http://p.sf.net/sfu/redhat-sfdev2dev
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091216/2887acb1/attachment.html>


More information about the Snort-users mailing list