Snort mailing list archives
Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x
From: "Al Lewis \(allewi\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Thu, 4 Jun 2020 17:01:23 +0000
There is a setting within the preprocessor that controls the SSH_EVENT_RESPOVERFLOW. Check the README.ssh file. Albert Lewis ENGINEER.SOFTWARE ENGINEERING Cisco Systems Inc. Email: allewi () cisco com<mailto:allewi () cisco com> From: Snort-users <snort-users-bounces () lists snort org> on behalf of Smriti Agarwal via Snort-users <snort-users () lists snort org> Reply-To: Smriti Agarwal <smriti.agarwal () meraki net> Date: Thursday, June 4, 2020 at 12:46 PM To: "snort-sigs () lists snort org" <snort-sigs () lists snort org>, "snort-users () lists snort org" <snort-users () lists snort org> Subject: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x Hello, I have a question regarding signature 128-1: SSH_EVENT_RESPOVERFLOW is getting triggered due to cve 2002-0639 and cve-2002-0640. According to this CVE, SSH traffic is seen as a threat only if using OpenSSH versions 2.3.1 through 3.3. But my customer claims that they are not using OpenSSH version below 7. Why is this signature getting triggered if OpenSSH version is 7.x? Regards, Smriti Agarwal Cisco Meraki Technical Support
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Question about RuleID 128-1 for OpenSSH 7.x Smriti Agarwal via Snort-sigs (Jun 04)
- Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x Joel Esler (jesler) via Snort-sigs (Jun 04)
- Re: [Snort-users] Question about RuleID 128-1 for OpenSSH 7.x Al Lewis (allewi) via Snort-sigs (Jun 04)