Snort mailing list archives

Re: ssh: Protocol mismatch

From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Wed, 16 Dec 2009 11:56:46 -0500

I know this is delayed, I haven't been trolling snort-users as much lately.

"Protocol Mismatch" should be alerting when the version strings for your SSH
Client and Server don't match up. This is intended to happen in the
following situations:

- SSH1 client connecting to an SSH2 server
- SSH2 client connecting to an SSH1 server
- A non-SSH client connecting to an SSH server.

As of Snort 2.8.5.1, there's a bug where turning on "autodetect" in your SSH
config will give you a lot of "Protocol Mismatch" false positives. This will
be fixed in the next release. However, I didn't see "autodetect" enabled in
Chris' pasted config.

Chris, I'm not really sure how you managed to generate so many alerts. I can
tell you that the only real exploit "Protocol Mismatch" alerts on is some
old Cisco server vuln*. Other than that, it's just anomaly detection. If
it's too noisy, you ought to be fine turning it off.

-Ryan

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0080

On Mon, Dec 7, 2009 at 3:43 PM, Eoin Miller <
eoin.miller () trojanedbinaries com> wrote:

FYI, I've seen the same thing happens when using PuTTY as a client from
a windows box.

-- Eoin

Griffin, Chris Andrew (Chris) wrote:

Guys,

      I just re-activated my sensor after a period of inactivity (mysql

db machine was down).  Preprocessors are enabled including the
(experimental?) ssh preprocessor.


preprocessor ssh: server_ports { 22 } \
                  max_client_bytes 19600 \
                  max_encrypted_packets 20 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch


      I started two SSH2 sessions from a HOME_NET Windows XP PC (Secure

CRT 4.0.1) to the Slackware 12.1 system running snort (Version 2.8.5.1
(Build 114)).  It is OpenSSH_5.1p1 forcing "Protocol 2".


      I ended up getting 194 alerts labeled "ssh: Protocol mismatch".  As

far as I know my connection was a "clean" two-way traffic exchange.  All the
alerts are pertaining to the SSH Client -> SSH Server packets, though this
makes some sense considering what I read about the protocol mismatch.  I
tried another session from a !HOME_NET PC with another "clean" session and
before I typed anything at the command prompt I had 58 alerts.


      The odd thing is I wouldn't expect a protocol mismatch to be

triggered in this case?  I can't find much in the docs about how this alert
works, but from what I gather it's when a non-SSH packet is sent to an SSH
server on SSH_PORT (22)?  Also README.ssh says "The Secure CRT and protocol
mismatch exploits are observable before the key exchange." but I believe a
lot of the packets triggering this alert may not be before the key exchange,
but I'm definitely no SSH expert.



Thoughts?  Does this sound like a problem? or do I misunderstand how this

works?





Chris Griffin

------------------------------------------------------------------------------

Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing.
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
This SF.Net email is sponsored by the Verizon Developer Community
Take advantage of Verizon's best-in-class app development support
A streamlined, 14 day to market process makes app distribution fast and easy
Join now and get one step closer to millions of Verizon customers
http://p.sf.net/sfu/verizon-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

ssh: Protocol mismatch Griffin, Chris Andrew (Chris) (Dec 07)
- Re: ssh: Protocol mismatch Eoin Miller (Dec 07)
  - Re: ssh: Protocol mismatch Ryan Jordan (Dec 16)
    - Re: ssh: Protocol mismatch Griffin, Chris Andrew (Chris) (Dec 21)