Question about ssh gobbles alert (128:1)

[Jeremy Hoel <jthoel () gmail com>]

We had this fire last week between a SourceFire DC 750 and a linux box
that we use for backups.

This is the first time the rule has fired for this pair and it doesn't
make much sense:

on the SF DC

admin@sfdc01:~$ sshd -v
sshd: illegal option -- v
OpenSSH_5.9p1, OpenSSL 0.9.8y-fips 5 Feb 2013
...
Sourcefire Linux OS v4.10.0 (build 767)
Sourcefire Defense Center 750 v4.10.3.6 (build 17)
2.6.32.24sf.core264-15


on the linux server it's going too:
[root@cirtk002 ~]# sshd -v
sshd: illegal option -- v
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
...
CentOS release 6.5 (Final), 2.6.32-431.1.2.0.1.el6.x86_64
openssh.x86_64                     5.3p1-94.el6
openssh-clients.x86_64             5.3p1-94.el6
openssh-server.x86_64              5.3p1-94.el6

Both of these are > OpenSSH v 3.4 that is talked about in the code for
the alert; also at the Cisco site:
http://tools.cisco.com/security/center/viewAlert.x?alertId=4061

was something changed recently?

As a side note, we did recently upgrade to snort 2.6.0 on the sensor
that is seeing this traffic, so maybe something changed in that
rule-set version (paid VRT ruleset)

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!