[Snort-users] SSH Preprocessor bug?

Al Lewis (allewi) allewi at ...589...
Thu Sep 10 07:10:25 EDT 2015


	Can you provide a pcap and your ssh preprocessor settings so we can see what you are witnessing?


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: katwell80 at ...10236... [mailto:katwell80 at ...10236...] 
Sent: Thursday, September 10, 2015 5:56 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] SSH Preprocessor bug?


I was just struggling with the ssh preprocessor because of that known ssh protocol mismatch problem.

I noticed, that there is a max_encrypted_packets which my config has set to 20. However last night I got a flood with protomismatch messages from snort when I had a ssh connection open. Why is this triggering at all on a long-open ssh session when the encrypt packets to check is limited to 20 after initializing the ssh connection?

I disabled the rule using threshold.conf suppress option, however I still wonder why these config options in the snort.conf preprocessor section don't seem to work.


Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list