Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Aw...

From: "Chr. v. Stuckrad" <stucki () math fu-berlin de>
Date: Fri, 23 Nov 2001 23:35:34 +0100
Hi!

On Fri, Nov 23, 2001 at 05:08:47PM -0500, Tim Sailer wrote:

It's a sad day when both snort.org and whitehats are both down at the same 
time.

I'm seeing a LOT of the ssh crc attacks in the logs of the machines that
actually log to my central machine. Does someone have a snort rule to
detect this?


Before trying to find out, who seems to break in, ask the
users there whether they use the ssh2-protocol!

The SSH2-Protocol seems to generate one false positive
per connection startup in the rule containing (the zero-fill)
        'EXPLOIT ssh CRC32 overflow filler'

So we had to ignore those... (which was no problem, because
our old vulnerable ssh1's are gone).

Stucki

-- 
Christoph von Stuckrad       * *  | nickname  | <stucki () math fu-berlin de> \
Freie Universitaet Berlin    |/_* | 'stucki'  | Tel(days):+49 30 838-75 459 |
Fachbereich Mathematik, EDV  |\ * | if online | Tel(else):+49 30 77 39 6600 |
Arnimallee 2-6/14195 Berlin  * *  | on IRCnet | Fax(alle):+49 30 838-75454 /

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: