04-21-2015 02:33 PM - edited 03-12-2019 05:39 AM
Hi everyone,
I am trying ssh to box from my PC.
Traffic flows via sensor interface Internal in----------Internal out.
When i check on DC i see ssh connection as Intrusion event
Impact 2
Message ssh_event_respoverflow(128:)
When i go to events by Priority and Classification it shows
Intrusion Policy ------C1 Policy
Access control policy -----Default intrusion Prevention
Access control rule -------Internal IPS
Need to know how can i fix this issue?
Regards
Mahesh
Solved! Go to Solution.
05-06-2015 05:55 AM
Hello Mahesh,
Which version of Sourcefire Defense Center are you using ?
It seems that your SSH preprocessor (GID 128) hit when it detect SSH connexion. You can view or modify the behavior of the SSH preprocessor.
In version 5.4, you can handle it thought the following menu :
Policies -> Access Control -> Network Analysis Policy
Then, edit your "Network Analysis Policy" (be sure to edit the good one), then click on "Settings" in the navigation panel on the left, and select "SSH Configuration".
In version 5.2, you can handle it through the following menu :
Policies -> Intrusion -> Intrusion Policy
Then, edit your intrusion policy and click "Advanced Settings" in the navigation panel on the left. Now, in the panel on the right, edit "SSH configuration".
You should read the Online Help in order to understand each options available for the "SSH preprocessor" and finally understand why drop occured on your SSH connexion.
Or, for testing, you may try to disable rules using the following filter in your intrusion policy :
GID:"128"
Best regards,
05-06-2015 05:55 AM
Hello Mahesh,
Which version of Sourcefire Defense Center are you using ?
It seems that your SSH preprocessor (GID 128) hit when it detect SSH connexion. You can view or modify the behavior of the SSH preprocessor.
In version 5.4, you can handle it thought the following menu :
Policies -> Access Control -> Network Analysis Policy
Then, edit your "Network Analysis Policy" (be sure to edit the good one), then click on "Settings" in the navigation panel on the left, and select "SSH Configuration".
In version 5.2, you can handle it through the following menu :
Policies -> Intrusion -> Intrusion Policy
Then, edit your intrusion policy and click "Advanced Settings" in the navigation panel on the left. Now, in the panel on the right, edit "SSH configuration".
You should read the Online Help in order to understand each options available for the "SSH preprocessor" and finally understand why drop occured on your SSH connexion.
Or, for testing, you may try to disable rules using the following filter in your intrusion policy :
GID:"128"
Best regards,
05-06-2015 08:27 AM
Hi ,
DC version we are using is 5.3.
On current version i do not see tab for NEtwork Analysis Policy.
What if i create a new Access control Policy to allow the connection between two hosts on port 22?
Regards
MAhesh
05-09-2015 07:14 AM
Many thanks for pointing me in right direction.
Regards
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide