Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3501
Views
0
Helpful
3
Replies

Defence center is blocking Openssh

Go to solution
mahesh18
Level 6
Level 6

‎04-21-2015 02:33 PM - edited ‎03-12-2019 05:39 AM

Hi everyone,

 

I am trying ssh to box from my PC.

Traffic flows via sensor interface     Internal in----------Internal out.

When i check on DC i see ssh connection as Intrusion event

Impact 2

Message ssh_event_respoverflow(128:)

 

When i go to events by Priority and Classification it shows

 

Intrusion Policy ------C1 Policy

Access control policy -----Default intrusion Prevention

Access control rule -------Internal IPS

Need to know how can i fix this issue?

 

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
clementlarrous
Level 1
Level 1

‎05-06-2015 05:55 AM

Hello Mahesh,

Which version of Sourcefire Defense Center are you using ?

It seems that your SSH preprocessor (GID 128) hit when it detect SSH connexion. You can view or modify the behavior of the SSH preprocessor.

In version 5.4, you can handle it thought the following menu : 

Policies -> Access Control -> Network Analysis Policy

Then, edit your "Network Analysis Policy" (be sure to edit the good one), then click on "Settings" in the navigation panel on the left, and select "SSH Configuration".

In version 5.2, you can handle it through the following menu : 

Policies -> Intrusion -> Intrusion Policy

Then, edit your intrusion policy and click "Advanced Settings" in the navigation panel on the left. Now, in the panel on the right, edit "SSH configuration".

You should read the Online Help in order to understand each options available for the "SSH preprocessor" and finally understand why drop occured on your SSH connexion.

Or, for testing, you may try to disable rules using the following filter in your intrusion policy : 

GID:"128"

Best regards,

View solution in original post

0 Helpful
3 Replies 3

Go to solution
clementlarrous
Level 1
Level 1

‎05-06-2015 05:55 AM

Hello Mahesh,

Which version of Sourcefire Defense Center are you using ?

It seems that your SSH preprocessor (GID 128) hit when it detect SSH connexion. You can view or modify the behavior of the SSH preprocessor.

In version 5.4, you can handle it thought the following menu : 

Policies -> Access Control -> Network Analysis Policy

Then, edit your "Network Analysis Policy" (be sure to edit the good one), then click on "Settings" in the navigation panel on the left, and select "SSH Configuration".

In version 5.2, you can handle it through the following menu : 

Policies -> Intrusion -> Intrusion Policy

Then, edit your intrusion policy and click "Advanced Settings" in the navigation panel on the left. Now, in the panel on the right, edit "SSH configuration".

You should read the Online Help in order to understand each options available for the "SSH preprocessor" and finally understand why drop occured on your SSH connexion.

Or, for testing, you may try to disable rules using the following filter in your intrusion policy : 

GID:"128"

Best regards,

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to clementlarrous

‎05-06-2015 08:27 AM

Hi ,

 

DC version we are using is 5.3.

On current version i do not see tab for NEtwork Analysis Policy.

What if i create a new Access control Policy  to allow the connection between two hosts on port 22?

Regards

MAhesh

0 Helpful

Go to solution
mahesh18
Level 6
Level 6

‎05-09-2015 07:14 AM

 

Many thanks for pointing me in right direction.

Regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card