Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x

["Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>]

There is a setting within the preprocessor that controls the SSH_EVENT_RESPOVERFLOW. Check the README.ssh file.



Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-users <snort-users-bounces () lists snort org> on behalf of Smriti Agarwal via Snort-users <snort-users () 
lists snort org>
Reply-To: Smriti Agarwal <smriti.agarwal () meraki net>
Date: Thursday, June 4, 2020 at 12:46 PM
To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>, "snort-users () lists snort org" <snort-users () 
lists snort org>
Subject: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x

Hello,

I have a question regarding signature 128-1: SSH_EVENT_RESPOVERFLOW is getting triggered due to cve 2002-0639 and 
cve-2002-0640. According to this CVE, SSH traffic is seen as a threat only if using OpenSSH versions 2.3.1 through 3.3. 
But my customer claims that they are not using OpenSSH version below 7. Why is this signature getting triggered if 
OpenSSH version is 7.x?

Regards,
Smriti Agarwal
Cisco Meraki Technical Support

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!