[Snort-users] SSH Preprocessor bug?

katwell80 at ...10236... katwell80 at ...10236...
Thu Sep 10 05:55:32 EDT 2015


I was just struggling with the ssh preprocessor because of that known ssh protocol mismatch problem.

I noticed, that there is a max_encrypted_packets which my config has set to 20. However last night I got a flood with protomismatch messages from snort when I had a ssh connection open. Why is this triggering at all on a long-open ssh session when the encrypt packets to check is limited to 20 after initializing the ssh connection?

I disabled the rule using threshold.conf suppress option, however I still wonder why these config options in the snort.conf preprocessor section don't seem to work.


More information about the Snort-users mailing list