cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
370
Views
0
Helpful
1
Replies

Problem with Signature 3651/0

cjbogaards
Level 1
Level 1

We are seeing events triggered by this signature that appear to be invalid. SSH2 connection attempts appear to be triggering these events, when the exploit is clearly for SSH1. The signature is utilizing the SSH1 engine, but ssh1 is disabled on the host we are seeing connection attemps to.

OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to uaxxxx [xxx.xxx.xxx.xx] port 22.

debug1: Connection established.

debug1: identity file /home/b687511/.ssh/identity type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_3.7.1p2-pwexp24

debug1: match: OpenSSH_3.7.1p2-pwexp24 pat OpenSSH*

Protocol major versions differ: 1 vs. 2

Am I missing something or is there a bug in this signature?

Thanks

Chris

1 Reply 1

Not applicable

To my knowledge, there may be a chance of, so you upgrade the version to the latest. This document explains how to perform a Cisco Intrusion Detection System Module (IDSM) upgrade on an application partition, service pack, and a signature update.

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00800a3d42.shtml#tshoot

Review Cisco Networking for a $25 gift card