[Snort-users] ssh: Protocol mismatch

Griffin, Chris Andrew (Chris) cg58 at ...14468...
Mon Dec 21 15:30:10 EST 2009


Ryan,

    You are correct that I do not use "autodetect".  I have an SSH2 client connecting to an SSH2 server.  I'll disable it going forward, but as you mention I can think of no reason why I would be generating so many alerts.  I've submitted a bunch of stuff including packet captures to Alex, at his request.



Chris Griffin



________________________________
From: Ryan Jordan [mailto:ryan.jordan at ...1935...]
Sent: Wednesday, December 16, 2009 11:57 AM
To: Eoin Miller; snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] ssh: Protocol mismatch

I know this is delayed, I haven't been trolling snort-users as much lately.

"Protocol Mismatch" should be alerting when the version strings for your SSH Client and Server don't match up. This is intended to happen in the following situations:

- SSH1 client connecting to an SSH2 server
- SSH2 client connecting to an SSH1 server
- A non-SSH client connecting to an SSH server.

As of Snort 2.8.5.1, there's a bug where turning on "autodetect" in your SSH config will give you a lot of "Protocol Mismatch" false positives. This will be fixed in the next release. However, I didn't see "autodetect" enabled in Chris' pasted config.

Chris, I'm not really sure how you managed to generate so many alerts. I can tell you that the only real exploit "Protocol Mismatch" alerts on is some old Cisco server vuln*. Other than that, it's just anomaly detection. If it's too noisy, you ought to be fine turning it off.

-Ryan

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0080

On Mon, Dec 7, 2009 at 3:43 PM, Eoin Miller <eoin.miller at ...14586...<mailto:eoin.miller at ...14586...>> wrote:
FYI, I've seen the same thing happens when using PuTTY as a client from
a windows box.

-- Eoin

Griffin, Chris Andrew (Chris) wrote:
> Guys,
>
>       I just re-activated my sensor after a period of inactivity (mysql db machine was down).  Preprocessors are enabled including the (experimental?) ssh preprocessor.
>
> preprocessor ssh: server_ports { 22 } \
>                   max_client_bytes 19600 \
>                   max_encrypted_packets 20 \
>                   enable_respoverflow enable_ssh1crc32 \
>                   enable_srvoverflow enable_protomismatch
>
>
>       I started two SSH2 sessions from a HOME_NET Windows XP PC (Secure CRT 4.0.1) to the Slackware 12.1 system running snort (Version 2.8.5.1 (Build 114)).  It is OpenSSH_5.1p1 forcing "Protocol 2".
>
>       I ended up getting 194 alerts labeled "ssh: Protocol mismatch".  As far as I know my connection was a "clean" two-way traffic exchange.  All the alerts are pertaining to the SSH Client -> SSH Server packets, though this makes some sense considering what I read about the protocol mismatch.  I tried another session from a !HOME_NET PC with another "clean" session and before I typed anything at the command prompt I had 58 alerts.
>
>       The odd thing is I wouldn't expect a protocol mismatch to be triggered in this case?  I can't find much in the docs about how this alert works, but from what I gather it's when a non-SSH packet is sent to an SSH server on SSH_PORT (22)?  Also README.ssh says "The Secure CRT and protocol mismatch exploits are observable before the key exchange." but I believe a lot of the packets triggering this alert may not be before the key exchange, but I'm definitely no SSH expert.
>
>
> Thoughts?  Does this sound like a problem? or do I misunderstand how this works?
>
>
>
>
> Chris Griffin
>
>
> ------------------------------------------------------------------------------
> Join us December 9, 2009 for the Red Hat Virtual Experience,
> a free event focused on virtualization and cloud computing.
> Attend in-depth sessions from your desk. Your couch. Anywhere.
> http://p.sf.net/sfu/redhat-sfdev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net<mailto:Snort-users at ...3893...t>
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091221/2e103c39/attachment.html>


More information about the Snort-users mailing list