Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x

From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 4 Jun 2020 17:01:20 +0000
Hello Smriti,

1. 128-1 is a preprocessor, it alerts on anomalous events that apply to those particular CVEs and can defend against 
attempted exploitation of those vulnerabilities.
2. Snort is a standalone IDS/IPS.  It has no concept of what version of OpenSSH your customer is using on the endpoint. 
 Meraki does not have this capability.  In order to do that, you’ll need to lean more towards the Firepower product 
line.

If you have a question about Snort internally, please email the snort team.  This list is for open source users, not 
really for product questions.


-- 
Joel Esler
Manager, Communities Division
Cisco Talos Intelligence Group
http://www.talosintelligence.com | https://www.snort.org


On Jun 4, 2020, at 12:34 AM, Smriti Agarwal via Snort-users <snort-users () lists snort org> wrote:

Hello, 

I have a question regarding signature 128-1: SSH_EVENT_RESPOVERFLOW is getting triggered due to cve 2002-0639 and 
cve-2002-0640. According to this CVE, SSH traffic is seen as a threat only if using OpenSSH versions 2.3.1 through 
3.3. But my customer claims that they are not using OpenSSH version below 7. Why is this signature getting triggered 
if OpenSSH version is 7.x?

Regards,
Smriti Agarwal
Cisco Meraki Technical Support
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

      To unsubscribe, send an email to:
      snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Attachment: smime.p7s
Description: 

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: