Snort mailing list archives
Re: SSH Preprocessor bug?
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 10 Sep 2015 11:10:25 +0000
Hello, Can you provide a pcap and your ssh preprocessor settings so we can see what you are witnessing? Thanks! Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com -----Original Message----- From: katwell80 () yahoo de [mailto:katwell80 () yahoo de] Sent: Thursday, September 10, 2015 5:56 AM To: snort-users () lists sourceforge net Subject: [Snort-users] SSH Preprocessor bug? Hello. I was just struggling with the ssh preprocessor because of that known ssh protocol mismatch problem. I noticed, that there is a max_encrypted_packets which my config has set to 20. However last night I got a flood with protomismatch messages from snort when I had a ssh connection open. Why is this triggering at all on a long-open ssh session when the encrypt packets to check is limited to 20 after initializing the ssh connection? I disabled the rule using threshold.conf suppress option, however I still wonder why these config options in the snort.conf preprocessor section don't seem to work. Greetings ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Monitor Your Dynamic Infrastructure at Any Scale With Datadog! Get real-time metrics from all of your servers, apps and tools in one place. SourceForge users - Click here to start your Free Trial of Datadog now! http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SSH Preprocessor bug? katwell80 (Sep 10)
- Re: SSH Preprocessor bug? Al Lewis (allewi) (Sep 10)