Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Confusion on Protocol Mismatch

From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 10 Dec 2010 09:07:28 -0700
Ryan,

Here's the info:

preprocessor ssh: server_ports { 22 } \
                  autodetect \
                  max_client_bytes 19600 \
                  max_encrypted_packets 20 \
                  max_server_version_len 100 \
                  enable_respoverflow enable_ssh1crc32 \
                  enable_srvoverflow enable_protomismatch

openssh is set to ver 2 only:

telnet 10.21.10.2 22
SSH-2.0-OpenSSH_5.6

Putty on 10.21.10.101 is set to only ver 2 as well.  Pcap dump:

08:16:10.632806 IP 10.21.10.101.1180 > 10.21.10.2.22: Flags [P.], ack 2801084258, win 64551, length 52
        0x0000:  4500 005c da00 4000 8006 f80a 0a15 0a65  E..\..@........e
        0x0010:  0a15 0a02 049c 0016 256f 72ec a6f5 2762  ........%or...'b
        0x0020:  5018 fc27 44c0 0000 de6b e538 ec71 3272  P..'D....k.8.q2r
        0x0030:  bdcf a540 ed35 eac4 8470 d3a4 f591 8e97  ...@.5...p......
        0x0040:  c812 73cc e032 bf36 a2d4 86f6 1ded 0bf1  ..s..2.6........
        0x0050:  357b e01e 3c42 c917 ff6d 9793            5{..<B...m..
08:26:23.587012 IP 10.21.10.101.1180 > 10.21.10.2.22: Flags [P.], ack 4249, win 64135, length 52
        0x0000:  4500 005c eef8 4000 8006 e312 0a15 0a65  E..\..@........e
        0x0010:  0a15 0a02 049c 0016 256f 7354 a6f5 37fa  ........%osT..7.
        0x0020:  5018 fa87 1ccc 0000 ea0a 5210 8398 7a2d  P.........R...z-
        0x0030:  0b61 ce8b 6b08 8bbb a8fb 3af1 c4bf bcc4  .a..k.....:.....
        0x0040:  2508 01c0 dc31 3d5a be38 38a2 f144 83d4  %....1=Z.88..D..
        0x0050:  d85e 301c d467 663a 111a 82cb            .^0..gf:....

Ironically, 10.21.20.2 IS the snort machine ;)

James

-----Original Message-----
From: Ryan Jordan [mailto:ryan.jordan () sourcefire com] 
Sent: Friday, December 10, 2010 9:01 AM
To: Weir, Jason
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Confusion on Protocol Mismatch

I haven't changed it since Snort 2.8.5.3, about a year ago.

James, that's an alert from the SSH preprocessor. It alerts in the event of non-SSH traffic on an SSH port, or a 
mismatch where one end uses SSH-1 and the other end uses SSH-2.

Check the traffic that caused the alert. If it looks like it shouldn't have alerted, post the section of snort.conf 
that starts with "preprocessor ssh:".

-Ryan

On Fri, Dec 10, 2010 at 10:30 AM, Weir, Jason <jason.weir () nhrs org> wrote:

overnight I've seen a bunch of these as well did something change with 
128-4?

-J

-----Original Message-----
From: Lay, James [mailto:james.lay () wincofoods com]
Sent: Friday, December 10, 2010 10:22 AM
To: snort-users () lists sourceforge net
Subject: Confusion on Protocol Mismatch

Team,



So...I'm confused on just where this is a protocol mismatch:



12/10-08:16:10.632806  [**] [128:4:1] (spp_ssh) Protocol mismatch [**]
[Priority: 3] {TCP} 10.21.10.101:1180 -> 10.21.10.2:22



Relevant conf entries:



var SSH_SERVERS [10.21.0.9,10.21.10.2,10.21.10.8]

portvar SSH_PORTS 22



Thanks/Danke/Gracias



James Lay

IT Security Analyst

WinCo Foods

208-672-2014 Office

208-559-1855 Cell

650 N Armstrong Pl.

Boise, Idaho 83704



______________________________________________________________________
_______________________

Please visit www.nhrs.org to subscribe to NHRS email announcements and 
updates.

----------------------------------------------------------------------
--------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



------------------------------------------------------------------------------
Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL, new data types, scalar functions, improved 
concurrency, built-in packages, OCI, SQL*Plus, data movement tools, best practices and more.
http://p.sf.net/sfu/oracle-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

------------------------------------------------------------------------------
Oracle to DB2 Conversion Guide: Learn learn about native support for PL/SQL,
new data types, scalar functions, improved concurrency, built-in packages, 
OCI, SQL*Plus, data movement tools, best practices and more.
http://p.sf.net/sfu/oracle-sfdev2dev 
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: