Snort mailing list archives
packet content and signature unmatch
From: hchlai () netscape net
Date: Mon, 17 Jul 2006 09:31:50 -0400
Hi Snorters, I have 2 questions regarding sid:1811 /etc/snort/rules/attack-responses.rules:alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:9; First of all, since ssh sessions are encrypted, I should never see a packet content of "uname" in non-encrypted format. Am I missing something fundamental in here or it's just a Monday morning? Secondly, this signature is recorded in 2 packets by BASE, but neither packets nor their combine contents contain "uname" in it, so what exactly triggered this signature? Many thanks! I am running BASE 1.2.5 and Snort 2.4.5 HinSuk ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- packet content and signature unmatch hchlai (Jul 17)
- Re: packet content and signature unmatch Eric Hines (Jul 17)
- Re: packet content and signature unmatch pauls (Jul 17)