Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule SID 1325

From: Brian <bmc () snort org>
Date: Thu, 6 Nov 2003 15:05:43 -0500
On Thu, Nov 06, 2003 at 10:22:02AM -0800, Matt Linton wrote:

I've seen a few random messages to this effect in the past, but it's worth
noting: The rule #1325 seems to repeatedly false positive on SSH v2
connections as a part of the normal handshake. Is this rule obsolete, or
perhaps SSH with the minimum of options set simply has a lot of "00"
options at the end, matching the rule?


This rule is turned off in the default ruleset.  The docs should get
updated to have the false positive of any modern ssh 2 client traffic 
(though I thought they did)

-brian


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: