Snort mailing list archives
Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 4 Jun 2020 17:01:20 +0000
Hello Smriti, 1. 128-1 is a preprocessor, it alerts on anomalous events that apply to those particular CVEs and can defend against attempted exploitation of those vulnerabilities. 2. Snort is a standalone IDS/IPS. It has no concept of what version of OpenSSH your customer is using on the endpoint. Meraki does not have this capability. In order to do that, you’ll need to lean more towards the Firepower product line. If you have a question about Snort internally, please email the snort team. This list is for open source users, not really for product questions. -- Joel Esler Manager, Communities Division Cisco Talos Intelligence Group http://www.talosintelligence.com | https://www.snort.org
On Jun 4, 2020, at 12:34 AM, Smriti Agarwal via Snort-users <snort-users () lists snort org> wrote: Hello, I have a question regarding signature 128-1: SSH_EVENT_RESPOVERFLOW is getting triggered due to cve 2002-0639 and cve-2002-0640. According to this CVE, SSH traffic is seen as a threat only if using OpenSSH versions 2.3.1 through 3.3. But my customer claims that they are not using OpenSSH version below 7. Why is this signature getting triggered if OpenSSH version is 7.x? Regards, Smriti Agarwal Cisco Meraki Technical Support _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Attachment:
smime.p7s
Description:
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Question about RuleID 128-1 for OpenSSH 7.x Smriti Agarwal via Snort-sigs (Jun 04)
- Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x Joel Esler (jesler) via Snort-sigs (Jun 04)
- Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x Al Lewis (allewi) via Snort-sigs (Jun 04)