[Snort-users] Question about "ssh: Gobbles exploit"

Felix Erlacher felix.erlacher at uibk.ac.at
Thu Nov 30 12:50:28 EST 2017


The system generating these alerts must not have a vulnerable version of
openSSH. One reason might be that it executes an exploit for this
You should care about the version (and OS) of the targeted system.



On 30/11/17 14:58, Maxi Fernandez via Snort-users wrote:
> Hi,
> We are receiving alerts from "ssh gobbles exploit"
> (https://www.snort.org/rule_docs/128-1
> <https://www.snort.org/rule_docs/128-1>), this alert affects OpenSSH
> systems <= 3.3
> The problem is that the hosts that generate the alerts, have versions
> higher than those affected by this vulnerability.
> Our question is, why are these alerts generated on hosts that are not
> affected by that vulnerability?
> I attach the packet capture.
> Thank you

More information about the Snort-users mailing list