From owner-freebsd-security Thu Nov 29 14:58:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from www.qubic.net (qubic.net [166.90.54.137]) by hub.freebsd.org (Postfix) with ESMTP id 7C60537B416 for ; Thu, 29 Nov 2001 14:58:31 -0800 (PST) Received: from subman (R12-110.intnet.mu [202.123.12.110]) by www.qubic.net (8.9.3/8.9.3) with SMTP id OAA09233; Thu, 29 Nov 2001 14:58:21 -0800 Message-Id: <3.0.5.32.20011130025506.008447c0@iname.com> X-Sender: nntp@iname.com (Unverified) X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Fri, 30 Nov 2001 02:55:06 +0400 To: Emre Bastuz , security@FreeBSD.ORG From: SM Subject: Re: sshd: rcvd big packet ? In-Reply-To: <3C0692F1.2040904@emre.de> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 20:56 29-11-2001 +0100, Emre Bastuz wrote: >I=B4m running snort 1.8.1 on this box - the IDS did not leave any attack alerts ? From the Snort 1.8.2 rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flags:A+; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1325; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1326; rev:1;) alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7; content:"|FF FF FF FF 00 00|"; offset:8; depth:14; reference:bugtraq,2347; reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1327; rev:1;) Regards, -sm To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message