Hosting Provided By

[Snort-sigs] Cywin SSH and EXPLOIT ssh CRC32 overflow filler

From: Grounds, Adam <AGrounds(at)reliant.com>
Date: Fri Feb 28 2003 - 12:37:23 EST

RE: EXPLOIT ssh CRC32 overflow filler > exploit.rules

After updating to the latest stable ruleset for 1.9.x, I started receiving positives for this alert in my MySQL database. Upon closer inspection and some research, it turns out the my users who are using the Cygwin toolset (source: http://www.cygwin.com) to SSH into their production servers are generating this alert. Every SSH initial connection generates this alert. I can not duplicate this using other SSH clients at this time. It appears that Cygwin's OpenSSH port pads the last 22 blocks of the initiation string with 0's triggering this alert. I'm disabling the rule for myself, but I thought I'd throw a head's up out to you fellow snorters.

Grounds, Adam M
EMS Infrastructure Group : Reliant Resources Inc. AGrounds@reliant.com

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs Received on Fri Feb 28 13:14:08 2003

This message: [ Message body ]
Next message: Paul Schmehl: "[Snort-sigs] sid: 1113 - FPs"
Previous message: Schmehl, Paul L: "[Snort-sigs] Sid 1149 - too many FPs"
Next in thread: Brian: "Re: [Snort-sigs] Cywin SSH and EXPLOIT ssh CRC32 overflow filler"
Reply: Brian: "Re: [Snort-sigs] Cywin SSH and EXPLOIT ssh CRC32 overflow filler"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:25 EDT