SSH Preprocessor bug?

[<katwell80 () yahoo de>]

Hello.

I was just struggling with the ssh preprocessor because of that known ssh protocol mismatch problem.

I noticed, that there is a max_encrypted_packets which my config has set to 20. However last night I got a flood with 
protomismatch messages from snort when I had a ssh connection open. Why is this triggering at all on a long-open ssh 
session when the encrypt packets to check is limited to 20 after initializing the ssh connection?


I disabled the rule using threshold.conf suppress option, however I still wonder why these config options in the 
snort.conf preprocessor section don't seem to work.

Greetings

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!