[Bro] ssh alternative ports

rmkml rmkml at free.fr
Sat Nov 15 07:39:44 PST 2008


thx for reply and sorry for delay,
ok I have changed signature to (for example):
30:signature sid-1812 {
31:  ip-proto == tcp
32:  dst-port == SSH::ssh_ports
33:  event "EXPLOIT gobbles SSH exploit attempt"
34:  tcp-state established,originator
35:  payload /.*GOBBLES/
36:  }
bro140ipv6 give an error:
  Error in signature (policy/sigs/snort-default.sig:32): unknown script-level identifier (SSH)
  Error in signature (policy/sigs/snort-default.sig:32): parse error
  Error in signature (policy/sigs/dpd.sig:1): parse error
dpd.sig unmodified file first line is:
  # ALS signatures for protocol detection.

another idea ?
Regards
Rmkml
Crusoe-Researches.com

On Thu, 13 Nov 2008, Robin Sommer wrote:

> Date: Thu, 13 Nov 2008 16:38:32 -0800
> From: Robin Sommer <robin at icir.org>
> To: bro at ICSI.Berkeley.EDU, rmkml <rmkml at free.fr>
> Cc: bro at bro-ids.org
> Subject: Re: [Bro] ssh alternative ports
> 
>
> On Wed, Nov 12, 2008 at 09:50 +0100, you wrote:
>
>> Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports)
>
> Have you tried SSH::ssh_ports?
>
> Robin
>
>
> -- 
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>


More information about the Bro mailing list