Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort-users digest, Vol 1 #1339 - 10 msgs

From: Russell Fulton <r.fulton () auckland ac nz>
Date: Tue, 27 Nov 2001 08:51:29 +1300 (NZDT)


From:podsednm () inf upol cz
To:snort-users () lists sourceforge net
Date: 26 Nov 2001 15:18:16 +0100
Subject: [Snort-users] ygwin SSH triggers false CRC32 EXPLOIT FILLER alarm

Hello,
Sorry if this has been around before, but I just noticed that
connection from cygwin's build of SSH triggers false CRC32
EXPLOIT alarm:

[**] EXPLOIT ssh CRC32 overflow filler [**]
11/26-14:29:43.033100 158.194.80.111:3725 -> 158.194.80.95:22
TCP TTL:128 TOS:0x0 ID:33924 IpLen:20 DgmLen:672 DF
***AP*** Seq: 0x26B45101  Ack: 0xB0489F84  Win: 0xFAD9  TcpLen: 20
00 00 02 74 0B 14 BB 44 84 22 F8 03 71 DD 4A F7  ...t...D."..q.J.
E7 80 F2 3E 42 51 00 00 00 3D 64 69 66 66 69 65  ...>BQ...=diffie



I have heard that any ssh2 connection will trigger this rule.  I have 
disabled it, the other two are adequate to catch real attacks.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: