[Bro] ssh alternative ports
rmkml
rmkml at free.fr
Sat Nov 15 07:39:44 PST 2008
thx for reply and sorry for delay,
ok I have changed signature to (for example):
30:signature sid-1812 {
31: ip-proto == tcp
32: dst-port == SSH::ssh_ports
33: event "EXPLOIT gobbles SSH exploit attempt"
34: tcp-state established,originator
35: payload /.*GOBBLES/
36: }
bro140ipv6 give an error:
Error in signature (policy/sigs/snort-default.sig:32): unknown script-level identifier (SSH)
Error in signature (policy/sigs/snort-default.sig:32): parse error
Error in signature (policy/sigs/dpd.sig:1): parse error
dpd.sig unmodified file first line is:
# ALS signatures for protocol detection.
another idea ?
Regards
Rmkml
Crusoe-Researches.com
On Thu, 13 Nov 2008, Robin Sommer wrote:
> Date: Thu, 13 Nov 2008 16:38:32 -0800
> From: Robin Sommer <robin at icir.org>
> To: bro at ICSI.Berkeley.EDU, rmkml <rmkml at free.fr>
> Cc: bro at bro-ids.org
> Subject: Re: [Bro] ssh alternative ports
>
>
> On Wed, Nov 12, 2008 at 09:50 +0100, you wrote:
>
>> Error in signature (.../policy/sigs/snort-default.sig:32): unknown script-level identifier (ssh_ports)
>
> Have you tried SSH::ssh_ports?
>
> Robin
>
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
More information about the Bro
mailing list