[Snort-users] SSH preprocessor

Philip Edwards phil.e at ...15568...
Mon Mar 4 18:08:38 EST 2013


Hi,

I wonder if you could help me with an issue i'm having.

Snort is reporting an SSH protocol mismatch when i attempt to ssh from my laptop to the Ubuntu machine that snort is running on.

philip-edwards-computer:~ phil$ ssh -vv phil at ...16124...
OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.10 [192.168.1.10] port 22.
debug1: Connection established.
debug1: identity file /Users/phil/.ssh/identity type -1
debug1: identity file /Users/phil/.ssh/id_rsa type -1
debug1: identity file /Users/phil/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
...... etc

the alert is spp_ssh protocol mismatch.

Since i'm connecting on port 22 and and both server and client use version 2 by default i'm not sure what has triggered the alert.

It alerts wether autodetect in the SSH preprocessor is enabled or not.

Any ideas?

Thanks

Phil E







More information about the Snort-users mailing list