Snort mailing list archives
Question about ssh gobbles alert (128:1)
From: Jeremy Hoel <jthoel () gmail com>
Date: Tue, 18 Feb 2014 18:35:09 +0000
We had this fire last week between a SourceFire DC 750 and a linux box that we use for backups. This is the first time the rule has fired for this pair and it doesn't make much sense: on the SF DC admin@sfdc01:~$ sshd -v sshd: illegal option -- v OpenSSH_5.9p1, OpenSSL 0.9.8y-fips 5 Feb 2013 ... Sourcefire Linux OS v4.10.0 (build 767) Sourcefire Defense Center 750 v4.10.3.6 (build 17) 2.6.32.24sf.core264-15 on the linux server it's going too: [root@cirtk002 ~]# sshd -v sshd: illegal option -- v OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013 ... CentOS release 6.5 (Final), 2.6.32-431.1.2.0.1.el6.x86_64 openssh.x86_64 5.3p1-94.el6 openssh-clients.x86_64 5.3p1-94.el6 openssh-server.x86_64 5.3p1-94.el6 Both of these are > OpenSSH v 3.4 that is talked about in the code for the alert; also at the Cisco site: http://tools.cisco.com/security/center/viewAlert.x?alertId=4061 was something changed recently? As a side note, we did recently upgrade to snort 2.6.0 on the sensor that is seeing this traffic, so maybe something changed in that rule-set version (paid VRT ruleset) ------------------------------------------------------------------------------ Managing the Performance of Cloud-Based Applications Take advantage of what the Cloud has to offer - Avoid Common Pitfalls. Read the Whitepaper. http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Question about ssh gobbles alert (128:1) Jeremy Hoel (Feb 18)
- Re: Question about ssh gobbles alert (128:1) Joel Esler (jesler) (Feb 18)
- Re: Question about ssh gobbles alert (128:1) Joel Esler (jesler) (Feb 18)
- Re: Question about ssh gobbles alert (128:1) Jeremy Hoel (Feb 18)