Snort mailing list archives

Previous By Date Next
Previous By Thread Next

EXPLOIT ssh CRC32 false alerts

From: Jean Michel BARBET <Jean-Michel.Barbet () subatech in2p3 fr>
Date: Mon, 17 Jun 2002 15:19:18 +0200
Hello,

It looks like I am getting false SSH alerts since I upgraded my SSH 
servers from SSHV1 to SSHV2 (OpenSSH) :

[**] [1:1325:1] EXPLOIT ssh CRC32 overflow filler [**]
[Classification: Executable code was detected] [Priority: 1]
06/17-14:22:08.003877 XXX.XXX.XXX.XXX:1090 -> YYY.YYY.YYY.YYY:22
TCP TTL:54 TOS:0x0 ID:61699 IpLen:20 DgmLen:672 DF
***AP*** Seq: 0xE0667173  Ack: 0x43E2EA00  Win: 0x1920  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2347]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]

Has anybody noticed the same ? Any explanation (is it normal that the
filler "|00 00 00 00 00 00 00 00 00 00 00 00 00|" appears in normal o
peration of the V2 protocol ? )

How can I modify the rules (or may be this is fixed in more recent
rules. 
I am using the rules that came with Snort version 1.8.2, Build 86).

Thank you.

Jean-Michel.
-- 
------------------------------------------------------------------------
Jean-michel BARBET                    | Tel: +33 (0)2 51 85 84 86 
Laboratoire SUBATECH Nantes France    | Fax: +33 (0)2 51 85 84 79
CNRS-IN2P3/Ecole des Mines/Universite | E-Mail: barbet () subatech in2p3 fr
------------------------------------------------------------------------

_______________________________________________________________

Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: