From owner-freebsd-security  Thu Nov 29 14:58:37 2001
Delivered-To: freebsd-security@freebsd.org
Received: from www.qubic.net (qubic.net [166.90.54.137])
	by hub.freebsd.org (Postfix) with ESMTP id 7C60537B416
	for <security@FreeBSD.ORG>; Thu, 29 Nov 2001 14:58:31 -0800 (PST)
Received: from subman (R12-110.intnet.mu [202.123.12.110])
	by www.qubic.net (8.9.3/8.9.3) with SMTP id OAA09233;
	Thu, 29 Nov 2001 14:58:21 -0800
Message-Id: <3.0.5.32.20011130025506.008447c0@iname.com>
X-Sender: nntp@iname.com (Unverified)
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Fri, 30 Nov 2001 02:55:06 +0400
To: Emre Bastuz <info@emre.de>, security@FreeBSD.ORG
From: SM <nntp@iname.com>
Subject: Re: sshd: rcvd big packet ?
In-Reply-To: <3C0692F1.2040904@emre.de>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At 20:56 29-11-2001 +0100, Emre Bastuz wrote:
>I=B4m running snort 1.8.1 on this box - the IDS did not leave any attack
alerts ?

From the Snort 1.8.2 rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow /bin/sh"; flags:A+; content:"/bin/sh"; reference:bugtraq,2347;
reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1324; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow filler"; flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00
00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144;
classtype:shellcode-detect; sid:1325; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow NOOP"; flags:A+; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90
90 90 90|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144;
classtype:shellcode-detect; sid:1326; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32
overflow"; flags:A+; content:"|00 01 57 00 00 00 18|"; offset:0; depth:7;
content:"|FF FF FF FF 00 00|"; offset:8; depth:14; reference:bugtraq,2347;
reference:cve,CVE-2001-0144; classtype:shellcode-detect; sid:1327; rev:1;)

Regards,
-sm

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message