Cygwin ssh vs NIPS

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

* Cygwin ssh vs NIPS
@ 2011-06-15 13:09 steve
  2011-06-15 23:04 ` Ryan Johnson
  0 siblings, 1 reply; 2+ messages in thread
From: steve @ 2011-06-15 13:09 UTC (permalink / raw)
  To: cygwin

I have been using Cygwin for several years to remotely manage my servers via ssh.  In the last month our SiteProtector start killing my ssh connections.  It is flagging it as a DOS.  The specific NIPS rule is "ssh_ChallengeResponse_BO".  

"This signature looks at 32768 bytes of SSH connection traffic beginning 1024 bytes after the software version information has been exchanged.  The signature fires when if finds 48 consecutive characters of ASCII data.  The number of bytes is examine (pan.ssh.search.charcount) and the number of consecutive ASCII bytes to trigger the signature (pan.ssh.search.threshold) are user configurable."

Anyone have any suggestions.  This is driving me F'n crazy...had to start to use Putty....scp with Putty sux.

Any help is appreciated!
Thanks
Paj

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Cygwin ssh vs NIPS
  2011-06-15 13:09 Cygwin ssh vs NIPS steve
@ 2011-06-15 23:04 ` Ryan Johnson
  0 siblings, 0 replies; 2+ messages in thread
From: Ryan Johnson @ 2011-06-15 23:04 UTC (permalink / raw)
  To: cygwin

On 15/06/2011 4:09 PM, steve wrote:
> I have been using Cygwin for several years to remotely manage my servers via ssh.  In the last month our SiteProtector start killing my ssh connections.  It is flagging it as a DOS.  The specific NIPS rule is "ssh_ChallengeResponse_BO".
>
> "This signature looks at 32768 bytes of SSH connection traffic beginning 1024 bytes after the software version information has been exchanged.  The signature fires when if finds 48 consecutive characters of ASCII data.  The number of bytes is examine (pan.ssh.search.charcount) and the number of consecutive ASCII bytes to trigger the signature (pan.ssh.search.threshold) are user configurable."
I had this happen once with an old Sun ssh -- turns out it was listing 
in the ssh preamble every language and locale it knew about, which 
turned out to be around 22k ascii char (!). I've never seen the problem 
with Cygwin before, though, and the network admin didn't tell me what he 
used to read the ssh preamble.

That said, 48 chars seems a tad low are you at liberty to change it?

Ryan


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2011-06-15 23:04 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-06-15 13:09 Cygwin ssh vs NIPS steve
2011-06-15 23:04 ` Ryan Johnson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).