Re: How can I configure ssh preprocessor??

[carlopmart <carlopmart () gmail com>]

On 03/30/2011 03:50 PM, carlopmart wrote:
> Hi all,
>
> I have a big problem with the ssh preprocessor configuration when
> "enable_protomismatch" is enabled. I have several different unix
> platforms on my network, like Solaris, OpenSolaris, RHEL, Ubuntu, etc.
> With my actual ssh preprocessor configuration, a lot of alerts are fired
> because every platform shows a different string.
>
> For example:
>
> a) Ubuntu LTS 10.04: "SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu6"
> b) RHEL6: "SSH-2.0-OpenSSH_5.3"
> c) RHEL5: "SSH-2.0-OpenSSH_4.3"
> d) My firewalls: "SSH-2.0-OpenSSH_4.3p2 Debian-9etch3"
> ....
>
> All clients and servers are configured to use protocol version 2, but
> when I try to connect via ssh between an ubuntu and rhel host, alarm
> "ssh: protocol mismatch" appears.
>
> My ssh preprocessor config is:
>
> preprocessor ssh: server_ports { 22 } \
> autodetect \
> max_client_bytes 19600 \
> max_encrypted_packets 20 \
> max_server_version_len 100 \
> enable_respoverflow enable_ssh1crc32 \
> enable_srvoverflow enable_protomismatch
>
> How can I adjust this config??
>
> Thanks.

Sorry, my snort version is 2.9.0.4 under a RHEL 5.4 host.

Thanks.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users