Snort mailing list archives

Question about RuleID 128-1 for OpenSSH 7.x

From: Smriti Agarwal via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 3 Jun 2020 21:34:06 -0700

Hello,

I have a question regarding signature 128-1: SSH_EVENT_RESPOVERFLOW is
getting triggered due to cve 2002-0639 and cve-2002-0640. According to this
CVE, SSH traffic is seen as a threat only if using OpenSSH versions 2.3.1
through 3.3. But my customer claims that they are not using OpenSSH version
below 7. Why is this signature getting triggered if OpenSSH version is 7.x?

Regards,
Smriti Agarwal
Cisco Meraki Technical Support

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Question about RuleID 128-1 for OpenSSH 7.x Smriti Agarwal via Snort-sigs (Jun 04)
- Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x Joel Esler (jesler) via Snort-sigs (Jun 04)
- Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x Al Lewis (allewi) via Snort-sigs (Jun 04)