Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH Preprocessor bug?

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 10 Sep 2015 11:10:25 +0000
Hello,

        Can you provide a pcap and your ssh preprocessor settings so we can see what you are witnessing?

Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 

-----Original Message-----
From: katwell80 () yahoo de [mailto:katwell80 () yahoo de] 
Sent: Thursday, September 10, 2015 5:56 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] SSH Preprocessor bug?

Hello.

I was just struggling with the ssh preprocessor because of that known ssh protocol mismatch problem.

I noticed, that there is a max_encrypted_packets which my config has set to 20. However last night I got a flood with 
protomismatch messages from snort when I had a ssh connection open. Why is this triggering at all on a long-open ssh 
session when the encrypt packets to check is limited to 20 after initializing the ssh connection?


I disabled the rule using threshold.conf suppress option, however I still wonder why these config options in the 
snort.conf preprocessor section don't seem to work.

Greetings

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: