Cisco Cisco FirePOWER Appliance 8360
25-67
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Detecting Exploits Using the SSH Preprocessor
Challenge-Response Buffer Overflow exploits apply only to SSH Version 2. The version string is read
at the beginning of the session. Except for the difference in the version string, both attacks are handled
in the same way.
at the beginning of the session. Except for the difference in the version string, both attacks are handled
in the same way.
The SecureCRT SSH exploit and protocol mismatch attacks occur when attempting to secure a
connection, before the key exchange. The SecureCRT exploit sends an overly long protocol identifier
string to the client that causes a buffer overflow. A protocol mismatch occurs when either a non-SSH
client application attempts to connect to a secure SSH server or the server and client version numbers do
not match.
connection, before the key exchange. The SecureCRT exploit sends an overly long protocol identifier
string to the client that causes a buffer overflow. A protocol mismatch occurs when either a non-SSH
client application attempts to connect to a secure SSH server or the server and client version numbers do
not match.
You can configure the preprocessor to inspect traffic on a specified port or list of ports, or to
automatically detect SSH traffic. It will continue to inspect SSH traffic until either a specified number
of encrypted packets has passed within a specified number of bytes, or until a specified maximum
number of bytes is exceeded within the specified number of packets. If the maximum number of bytes
is exceeded, it is assumed that a CRC-32 (SSH Version 1) or a Challenge-Response Buffer Overflow
(SSH Version 2) attack has occurred. Additionally, you can detect the SecureCRT exploit, protocol
mismatches, and bad message direction. Note that the preprocessor detects without configuration any
version string value other than version 1 or 2.
automatically detect SSH traffic. It will continue to inspect SSH traffic until either a specified number
of encrypted packets has passed within a specified number of bytes, or until a specified maximum
number of bytes is exceeded within the specified number of packets. If the maximum number of bytes
is exceeded, it is assumed that a CRC-32 (SSH Version 1) or a Challenge-Response Buffer Overflow
(SSH Version 2) attack has occurred. Additionally, you can detect the SecureCRT exploit, protocol
mismatches, and bad message direction. Note that the preprocessor detects without configuration any
version string value other than version 1 or 2.
Note the following when using the SSH preprocessor:
•
You must enable SSH preprocessor rules, which have a generator ID (GID) of 128, if you want these
rules to generate events. A link on the configuration page takes you to a filtered view of SSH
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
rules to generate events. A link on the configuration page takes you to a filtered view of SSH
preprocessor rules on the intrusion policy Rules page, where you can enable and disable rules and
configure other rule actions. See
for more information.
•
The SSH preprocessor requires TCP stream preprocessing. If TCP stream preprocessing is disabled
and you enable the SSH preprocessor, you are prompted when you save the policy whether to enable
TCP stream preprocessing. See
and you enable the SSH preprocessor, you are prompted when you save the policy whether to enable
TCP stream preprocessing. See
and
for more information.
•
The SSH preprocessor does not handle brute force attacks. For information on brute force attempts,
see
see
See the following sections for more information:
•
•
Selecting SSH Preprocessor Options
License:
Protection
This section describes the options you can use to configure the SSH preprocessor.
The preprocessor stops inspecting traffic for a session when either of the following occurs:
•
a valid exchange between the server and the client has occurred for this number of encrypted
packets; the connection continues.
packets; the connection continues.
•
the
Number of Bytes Sent Without Server Response
is reached before the number of encrypted packets to
inspect is reached; the assumption is made that there is an attack.
Each valid server response during
Number of Encrypted Packets to Inspect
resets the
Number of Bytes Sent
Without Server Response
and the packet count continues.
Consider the following example SSH preprocessor configuration:
•
Server Ports
: 22
•
Autodetect Ports
: off