[Snort-users] Question about "ssh: Gobbles exploit"

Maxi Fernandez maxi3489 at gmail.com
Thu Nov 30 08:58:36 EST 2017


We are receiving alerts from "ssh gobbles exploit" (
https://www.snort.org/rule_docs/128-1), this alert affects OpenSSH systems
<= 3.3
The problem is that the hosts that generate the alerts, have versions
higher than those affected by this vulnerability.
Our question is, why are these alerts generated on hosts that are not
affected by that vulnerability?

I attach the packet capture.

Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171130/22857ddf/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gobbles-exploit.pcap
Type: application/vnd.tcpdump.pcap
Size: 9060 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20171130/22857ddf/attachment-0001.pcap>

More information about the Snort-users mailing list