Snort mailing list archives
ygwin SSH triggers false CRC32 EXPLOIT FILLER alarm
From: podsednm () inf upol cz
Date: 26 Nov 2001 15:18:16 +0100
Hello, Sorry if this has been around before, but I just noticed that connection from cygwin's build of SSH triggers false CRC32 EXPLOIT alarm: [**] EXPLOIT ssh CRC32 overflow filler [**] 11/26-14:29:43.033100 158.194.80.111:3725 -> 158.194.80.95:22 TCP TTL:128 TOS:0x0 ID:33924 IpLen:20 DgmLen:672 DF ***AP*** Seq: 0x26B45101 Ack: 0xB0489F84 Win: 0xFAD9 TcpLen: 20 00 00 02 74 0B 14 BB 44 84 22 F8 03 71 DD 4A F7 ...t...D."..q.J. E7 80 F2 3E 42 51 00 00 00 3D 64 69 66 66 69 65 ...>BQ...=diffie 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75 70 2D 65 -hellman-group-e 78 63 68 61 6E 67 65 2D 73 68 61 31 2C 64 69 66 xchange-sha1,dif 66 69 65 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75 fie-hellman-grou 70 31 2D 73 68 61 31 00 00 00 0F 73 73 68 2D 72 p1-sha1....ssh-r 73 61 2C 73 73 68 2D 64 73 73 00 00 00 96 61 65 sa,ssh-dss....ae 73 31 32 38 2D 63 62 63 2C 33 64 65 73 2D 63 62 s128-cbc,3des-cb 63 2C 62 6C 6F 77 66 69 73 68 2D 63 62 63 2C 63 c,blowfish-cbc,c 61 73 74 31 32 38 2D 63 62 63 2C 61 72 63 66 6F ast128-cbc,arcfo 75 72 2C 61 65 73 31 39 32 2D 63 62 63 2C 61 65 ur,aes192-cbc,ae 73 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65 s256-cbc,rijndae 6C 31 32 38 2D 63 62 63 2C 72 69 6A 6E 64 61 65 l128-cbc,rijndae 6C 31 39 32 2D 63 62 63 2C 72 69 6A 6E 64 61 65 l192-cbc,rijndae 6C 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65 l256-cbc,rijndae 6C 2D 63 62 63 40 6C 79 73 61 74 6F 72 2E 6C 69 l-cbc () lysator li 75 2E 73 65 00 00 00 96 61 65 73 31 32 38 2D 63 u.se....aes128-c 62 63 2C 33 64 65 73 2D 63 62 63 2C 62 6C 6F 77 bc,3des-cbc,blow 66 69 73 68 2D 63 62 63 2C 63 61 73 74 31 32 38 fish-cbc,cast128 2D 63 62 63 2C 61 72 63 66 6F 75 72 2C 61 65 73 -cbc,arcfour,aes 31 39 32 2D 63 62 63 2C 61 65 73 32 35 36 2D 63 192-cbc,aes256-c 62 63 2C 72 69 6A 6E 64 61 65 6C 31 32 38 2D 63 bc,rijndael128-c 62 63 2C 72 69 6A 6E 64 61 65 6C 31 39 32 2D 63 bc,rijndael192-c 62 63 2C 72 69 6A 6E 64 61 65 6C 32 35 36 2D 63 bc,rijndael256-c 62 63 2C 72 69 6A 6E 64 61 65 6C 2D 63 62 63 40 bc,rijndael-cbc@ 6C 79 73 61 74 6F 72 2E 6C 69 75 2E 73 65 00 00 lysator.liu.se.. 00 55 68 6D 61 63 2D 6D 64 35 2C 68 6D 61 63 2D .Uhmac-md5,hmac- 73 68 61 31 2C 68 6D 61 63 2D 72 69 70 65 6D 64 sha1,hmac-ripemd 31 36 30 2C 68 6D 61 63 2D 72 69 70 65 6D 64 31 160,hmac-ripemd1 36 30 40 6F 70 65 6E 73 73 68 2E 63 6F 6D 2C 68 60 () openssh com,h 6D 61 63 2D 73 68 61 31 2D 39 36 2C 68 6D 61 63 mac-sha1-96,hmac 2D 6D 64 35 2D 39 36 00 00 00 55 68 6D 61 63 2D -md5-96...Uhmac- 6D 64 35 2C 68 6D 61 63 2D 73 68 61 31 2C 68 6D md5,hmac-sha1,hm 61 63 2D 72 69 70 65 6D 64 31 36 30 2C 68 6D 61 ac-ripemd160,hma 63 2D 72 69 70 65 6D 64 31 36 30 40 6F 70 65 6E c-ripemd160@open 73 73 68 2E 63 6F 6D 2C 68 6D 61 63 2D 73 68 61 ssh.com,hmac-sha 31 2D 39 36 2C 68 6D 61 63 2D 6D 64 35 2D 39 36 1-96,hmac-md5-96 00 00 00 04 6E 6F 6E 65 00 00 00 04 6E 6F 6E 65 ....none....none 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 ........ $ ssh -V OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602F I guess the SSH CRC32 EXPLOIT rule should be changed to be more specific. Regards, Michal Podsednik podsednm () inf upol cz _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- ygwin SSH triggers false CRC32 EXPLOIT FILLER alarm podsednm (Nov 26)