Snort mailing list archives
Re: Aw...
From: "Chr. v. Stuckrad" <stucki () math fu-berlin de>
Date: Fri, 23 Nov 2001 23:35:34 +0100
Hi! On Fri, Nov 23, 2001 at 05:08:47PM -0500, Tim Sailer wrote:
It's a sad day when both snort.org and whitehats are both down at the same time. I'm seeing a LOT of the ssh crc attacks in the logs of the machines that actually log to my central machine. Does someone have a snort rule to detect this?
Before trying to find out, who seems to break in, ask the users there whether they use the ssh2-protocol! The SSH2-Protocol seems to generate one false positive per connection startup in the rule containing (the zero-fill) 'EXPLOIT ssh CRC32 overflow filler' So we had to ignore those... (which was no problem, because our old vulnerable ssh1's are gone). Stucki -- Christoph von Stuckrad * * | nickname | <stucki () math fu-berlin de> \ Freie Universitaet Berlin |/_* | 'stucki' | Tel(days):+49 30 838-75 459 | Fachbereich Mathematik, EDV |\ * | if online | Tel(else):+49 30 77 39 6600 | Arnimallee 2-6/14195 Berlin * * | on IRCnet | Fax(alle):+49 30 838-75454 / _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Aw... Tim Sailer (Nov 23)
- Re: Aw... Chr. v. Stuckrad (Nov 23)