Snort mailing list archives
Re: Confusion on Protocol Mismatch
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Fri, 10 Dec 2010 11:00:36 -0500
I haven't changed it since Snort 2.8.5.3, about a year ago. James, that's an alert from the SSH preprocessor. It alerts in the event of non-SSH traffic on an SSH port, or a mismatch where one end uses SSH-1 and the other end uses SSH-2. Check the traffic that caused the alert. If it looks like it shouldn't have alerted, post the section of snort.conf that starts with "preprocessor ssh:". -Ryan On Fri, Dec 10, 2010 at 10:30 AM, Weir, Jason <jason.weir () nhrs org> wrote:
overnight I've seen a bunch of these as well did something change with 128-4? -J -----Original Message----- From: Lay, James [mailto:james.lay () wincofoods com] Sent: Friday, December 10, 2010 10:22 AM To: snort-users () lists sourceforge net Subject: Confusion on Protocol Mismatch Team, So…I’m confused on just where this is a protocol mismatch: 12/10-08:16:10.632806 [**] [128:4:1] (spp_ssh) Protocol mismatch [**] [Priority: 3] {TCP} 10.21.10.101:1180 -> 10.21.10.2:22 Relevant conf entries: var SSH_SERVERS [10.21.0.9,10.21.10.2,10.21.10.8] portvar SSH_PORTS 22 Thanks/Danke/Gracias James Lay IT Security Analyst WinCo Foods 208-672-2014 Office 208-559-1855 Cell 650 N Armstrong Pl. Boise, Idaho 83704 _____________________________________________________________________________________________ Please visit www.nhrs.org to subscribe to NHRS email announcements and updates. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more. http://p.sf.net/sfu/oracle-sfdev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Confusion on Protocol Mismatch Lay, James (Dec 10)
- Re: Confusion on Protocol Mismatch Weir, Jason (Dec 10)
- Re: Confusion on Protocol Mismatch Ryan Jordan (Dec 10)
- Re: Confusion on Protocol Mismatch Lay, James (Dec 10)
- Re: Confusion on Protocol Mismatch Ryan Jordan (Dec 10)
- Re: Confusion on Protocol Mismatch Weir, Jason (Dec 10)