Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2522
Views
0
Helpful
2
Replies

How to Fix SSH_EVENT_RESPOVERFLOW on FMC

Garry Cooper
Level 1
Level 1

‎02-11-2021 12:59 AM

I am trying to transfer legitimate traffic using openssh verison 8.1 and the IPS triggers SSH_EVENT_RESPOVERFLOW.

What is the best option to fix this, as I am reluctant to disable rule, and whitelisting does not work

Labels:
0 Helpful
2 Replies 2

Ilkin
Cisco Employee
Cisco Employee

‎02-20-2021 12:03 AM

The SSH_EVENT_RESPOVERFLOW could be shown because the SSH preprocessor is enabled that also has the option Detect Challenge-Response Buffer Overflow Attack enabled. From the documentation:

Detect Challenge-Response Buffer Overflow Attack
Enables or disables detecting the Challenge-Response Buffer Overflow exploit.

You can enable rule 128:1 to generate events and, in an inline deployment, drop offending packets for this option. Note that an SFTP session can occasionally trigger rule 128:1.

According to the documentation for SFTP traffic, it seems to be expected.  Is there SFTP traffic going through Snort? 

 

0 Helpful

Garry Cooper
Level 1
Level 1
In response to Ilkin

‎02-22-2021 07:10 AM

Thanks for the reply, I have pushed this back to the vendors, as I suspect they could be using an old version of openssh.

Will update this once I know 

0 Helpful
Customers Also Viewed These Support Documents