Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How can I configure ssh preprocessor??

From: carlopmart <carlopmart () gmail com>
Date: Wed, 30 Mar 2011 18:27:18 +0200
On 03/30/2011 05:06 PM, Olaf Schreck wrote:

Carlo,


    I have a big problem with the ssh preprocessor configuration when
"enable_protomismatch" is enabled. I have several different unix
platforms on my network, like Solaris, OpenSolaris, RHEL, Ubuntu, etc.
With my actual ssh preprocessor configuration, a lot of alerts are fired
because every platform shows a different string.


I had a similar issue here (2.9.0.4, OpenBSD).  Google suggested
removing "autodetect" from the ssh preproc config, this worked for me
even with "enable_protomismatch" enabled.

BTW, the most obvious fix would be to remove "enable_protomismatch", no?




Yes, it is the most obvious .. but If one host is compromised, what to 
do then??


-- 
CL Martinez
carlopmart {at} gmail {d0t} com

------------------------------------------------------------------------------
Create and publish websites with WebMatrix
Use the most popular FREE web apps or write code yourself; 
WebMatrix provides all the features you need to develop and 
publish your website. http://p.sf.net/sfu/ms-webmatrix-sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: