Snort mailing list archives
Re: Rule SID 1325
From: Brian <bmc () snort org>
Date: Thu, 6 Nov 2003 15:05:43 -0500
On Thu, Nov 06, 2003 at 10:22:02AM -0800, Matt Linton wrote:
I've seen a few random messages to this effect in the past, but it's worth noting: The rule #1325 seems to repeatedly false positive on SSH v2 connections as a part of the normal handshake. Is this rule obsolete, or perhaps SSH with the minimum of options set simply has a lot of "00" options at the end, matching the rule?
This rule is turned off in the default ruleset. The docs should get updated to have the false positive of any modern ssh 2 client traffic (though I thought they did) -brian ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Rule SID 1325 Matt Linton (Nov 06)
- Re: Rule SID 1325 Brian (Nov 06)