Snort mailing list archives
EXPLOIT ssh CRC32 false alerts
From: Jean Michel BARBET <Jean-Michel.Barbet () subatech in2p3 fr>
Date: Mon, 17 Jun 2002 15:19:18 +0200
Hello, It looks like I am getting false SSH alerts since I upgraded my SSH servers from SSHV1 to SSHV2 (OpenSSH) : [**] [1:1325:1] EXPLOIT ssh CRC32 overflow filler [**] [Classification: Executable code was detected] [Priority: 1] 06/17-14:22:08.003877 XXX.XXX.XXX.XXX:1090 -> YYY.YYY.YYY.YYY:22 TCP TTL:54 TOS:0x0 ID:61699 IpLen:20 DgmLen:672 DF ***AP*** Seq: 0xE0667173 Ack: 0x43E2EA00 Win: 0x1920 TcpLen: 20 [Xref => http://www.securityfocus.com/bid/2347] [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144] Has anybody noticed the same ? Any explanation (is it normal that the filler "|00 00 00 00 00 00 00 00 00 00 00 00 00|" appears in normal o peration of the V2 protocol ? ) How can I modify the rules (or may be this is fixed in more recent rules. I am using the rules that came with Snort version 1.8.2, Build 86). Thank you. Jean-Michel. -- ------------------------------------------------------------------------ Jean-michel BARBET | Tel: +33 (0)2 51 85 84 86 Laboratoire SUBATECH Nantes France | Fax: +33 (0)2 51 85 84 79 CNRS-IN2P3/Ecole des Mines/Universite | E-Mail: barbet () subatech in2p3 fr ------------------------------------------------------------------------ _______________________________________________________________ Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- EXPLOIT ssh CRC32 false alerts Jean Michel BARBET (Jun 17)