How can I configure ssh preprocessor??

[carlopmart <carlopmart () gmail com>]

Hi all,

  I have a big problem with the ssh preprocessor configuration when 
"enable_protomismatch" is enabled. I have several different unix 
platforms on my network, like Solaris, OpenSolaris, RHEL, Ubuntu, etc. 
With my actual ssh preprocessor configuration, a lot of alerts are fired 
because every platform shows a different string.

  For example:

  a) Ubuntu LTS 10.04: "SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6"
  b) RHEL6: "SSH-2.0-OpenSSH_5.3"
  c) RHEL5: "SSH-2.0-OpenSSH_4.3"
  d) My firewalls: "SSH-2.0-OpenSSH_4.3p2 Debian-9etch3"
  ....

All clients and servers are configured to use protocol version 2, but 
when I try to connect via ssh between an ubuntu and rhel host, alarm 
"ssh: protocol mismatch" appears.

  My ssh preprocessor config is:

  preprocessor ssh: server_ports { 22 } \
                   autodetect \
                   max_client_bytes 19600 \
                   max_encrypted_packets 20 \
                   max_server_version_len 100 \
                   enable_respoverflow enable_ssh1crc32 \
                   enable_srvoverflow enable_protomismatch

  How can I adjust this config??

  Thanks.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users