Cisco Cisco Firepower Management Center 4000
25-68
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Detecting Exploits Using the SSH Preprocessor
•
Maximum Length of Protocol Version String
: 80
•
Number of Encrypted Packets to Inspect
: 25
•
Number of Bytes Sent Without Server Response
: 19,600
•
All detect options are enabled.
In the example, the preprocessor inspects traffic only on port 22. That is, auto-detection is disabled, so
it inspects only on the specified port.
it inspects only on the specified port.
Additionally, the preprocessor in the example stops inspecting traffic when either of the following
occurs:
occurs:
•
The client sends 25 encrypted packets which contain no more than 19,600 bytes, cumulative. The
assumption is there is no attack.
assumption is there is no attack.
•
The client sends more than 19,600 bytes within 25 encrypted packets. In this case, the preprocessor
considers the attack to be the Challenge-Response Buffer Overflow exploit because the session in
the example is an SSH Version 2 session.
considers the attack to be the Challenge-Response Buffer Overflow exploit because the session in
the example is an SSH Version 2 session.
The preprocessor in the example will also detect any of the following that occur while it is processing
traffic:
traffic:
•
a server overflow, triggered by a version string greater than 80 bytes and indicating a SecureCRT
exploit
exploit
•
a protocol mismatch
•
a packet flowing in the wrong direction
Finally, the preprocessor will automatically detect any version string other than version 1 or version 2.
If no preprocessor rule is mentioned, the option is not associated with a preprocessor rule.
Server Ports
Specifies on which ports the SSH preprocessor should inspect traffic.
You can configure a single port or a comma-separated list of ports.
Autodetect Ports
Sets the preprocessor to automatically detect SSH traffic.
When this option is selected, the preprocessor inspects all traffic for an SSH version number. It stops
processing when neither the client nor the server packet contains a version number. When disabled,
the preprocessor inspects only the traffic identified by the
processing when neither the client nor the server packet contains a version number. When disabled,
the preprocessor inspects only the traffic identified by the
Server Ports
option.
Number of Encrypted Packets to Inspect
Specifies the number of encrypted packets to examine per session.
Setting this option to zero will allow all traffic to pass.
Reducing the number of encrypted packets to inspect may result in some attacks escaping detection.
Raising the number of encrypted packets to inspect may negatively affect performance.
Raising the number of encrypted packets to inspect may negatively affect performance.
Number of Bytes Sent Without Server Response
Specifies the maximum number of bytes an SSH client may send to a server without getting a
response before assuming there is a Challenge-Response Buffer Overflow or CRC-32 attack.
response before assuming there is a Challenge-Response Buffer Overflow or CRC-32 attack.
Increase the value for this option if the preprocessor generates false positives on the
Challenge-Response Buffer Overflow or CRC-32 exploit.
Challenge-Response Buffer Overflow or CRC-32 exploit.