Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSHD CRC32 Buffer Overflow Flase Positive

The Custom String:

Engine STRING.TCP AlarmThrottle FireOnce Direction ToService MinHits 1 RegexString (\x00){18,} ResetAfterIdle 15 ServicePorts 22 SIGID 20001 SigName SSH CRC32 Buffer Overflow SigStringInfo Nulls SubSig 0 ThrottleInterval 15

Seems to be alarming on MAC OS 10's running openssh_2.9p2 and OpenSSH_3.0.2p1. Has anyone else seen this?

thanks,

Geoff

1 REPLY
New Member

Re: SSHD CRC32 Buffer Overflow Flase Positive

The STRING.TCP version of the SSH crc32 overflow was a temporary fix until the release of IDS version 3.0(3). This service pack will include updates that allow for a better sig for the SSH crc32 overflow, among others.

This custom string will, unfortunately, have a small amount of false positives associated with it.

Thanks,

Tony

131
Views
0
Helpful
1
Replies
CreatePlease to create content