[Snort-users] Question about "ssh: Gobbles exploit"

Felix Erlacher felix.erlacher at uibk.ac.at
Thu Nov 30 12:50:28 EST 2017


Hi,

The system generating these alerts must not have a vulnerable version of
openSSH. One reason might be that it executes an exploit for this
vulnerability.
You should care about the version (and OS) of the targeted system.

regards

Felix

On 30/11/17 14:58, Maxi Fernandez via Snort-users wrote:
> Hi,
> 
> We are receiving alerts from "ssh gobbles exploit"
> (https://www.snort.org/rule_docs/128-1
> <https://www.snort.org/rule_docs/128-1>), this alert affects OpenSSH
> systems <= 3.3
> The problem is that the hosts that generate the alerts, have versions
> higher than those affected by this vulnerability.
> Our question is, why are these alerts generated on hosts that are not
> affected by that vulnerability?
> 
> 
> I attach the packet capture.
> 
> 
> Thank you
> 


More information about the Snort-users mailing list