Threshold.conf for ssh: Gobbles exploit - need advise.

[Daniel Kertby]

I have a false positive on ssh: Gobbles exploit.

The signature id seems to be 1.

+-----+---------------------------------------------------------------------------------------------------------------------------------+--------------+
| cnt | signature | signature_id |
+-----+---------------------------------------------------------------------------------------------------------------------------------+--------------+
| 31978 |
| 68 | ssh: Gobbles exploit | 1 |


Doing grep -i gobbles in rules/downloaded only reveals hashed out lines.
Doing grep -i gobbles in rules/

grep -i gobbles sid-msg.map
1382 || SERVER-OTHER CHAT IRC Ettercap parse overflow attempt || url,www.bugtraq.org/dev/GOBBLES-12.txt
1810 || SERVER-OTHER successful gobbles ssh exploit GOBBLE || cve,2002-0640 || cve,2002-0390 || bugtraq,5093
1811 || SERVER-OTHER successful gobbles ssh exploit uname || nessus,11031 || cve,2002-0640 || cve,2002-0390 || bugtraq,5093
1812 || SERVER-OTHER gobbles SSH exploit attempt || nessus,11031 || cve,2002-0639 || bugtraq,5093


My intention is to filter out false positives on src ip using threshold.conf.
How do I proceed and how can I have a match when hashed out?

Running SO with Snorby.

Best Regards,
Daniel

[Daniel Kertby]

Anyone?

[Chris White]

That format looks consistent with a snort preprocessor rule (lowercase: Msg).

I believe the ssh preprocessor is gid 128, so given your table, if you wish to suppress or otherwise modify this rule do so in threshold.conf and modify 128:1.

As for the missing downloaded rules bit, that file and pulledpork only deal with gid 1 rules, you will not see preprocessor rules there.

This is from memory as I'm off today, so YMMV.

Best of luck,
Chris White

[Daniel Kertby]

Thanks for your suppport Chris!

It seemed to be correct, thanks!

Regards,
/Daniel