Cisco Cisco FirePOWER Appliance 8390
25-69
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Detecting Exploits Using the SSH Preprocessor
Maximum Length of Protocol Version String
Specifies the maximum number of bytes allowed in the server’s version string before considering it
to be a SecureCRT exploit.
to be a SecureCRT exploit.
Detect Challenge-Response Buffer Overflow Attack
Enables or disables detecting the Challenge-Response Buffer Overflow exploit.
You can enable rule 128:1 to generate events for this option. See
for
more information.
Detect SSH1 CRC-32 Attack
Enables or disables detecting the CRC-32 exploit.
You can enable rule 128:2 to generate events for this option. See
for
more information.
Detect Server Overflow
Enables or disables detecting the SecureCRT SSH Client Buffer Overflow exploit.
You can enable rule 128:3 to generate events for this option. See
for
more information.
Detect Protocol Mismatch
Enables or disables detecting protocol mismatches.
You can enable rule 128:4 to generate events for this option. See
for
more information.
Detect Bad Message Direction
Enables or disables detecting when traffic flows in the wrong direction (that is, if the presumed
server generates client traffic, or if a client generates server traffic).
server generates client traffic, or if a client generates server traffic).
You can enable rule 128:5 to generate events for this option. See
for
more information.
Detect Payload Size Incorrect for the Given Payload
Enables or disables detecting packets with an incorrect payload size such as when the length
specified in the SSH packet is not consistent with the total length specified in the IP header or the
message is truncated, that is, there is not enough data for a full SSH header.
specified in the SSH packet is not consistent with the total length specified in the IP header or the
message is truncated, that is, there is not enough data for a full SSH header.
You can enable rule 128:6 to generate events for this option. See
for
more information.
Detect Bad Version String
Note that, when enabled, the preprocessor detects without configuration any version string other
than version 1 or 2.
than version 1 or 2.
You can enable rule 128:7 to generate events for this option. See
for
more information.
Configuring the SSH Preprocessor
License:
Protection