From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 15787 invoked by alias); 15 Jun 2011 23:04:58 -0000 Received: (qmail 15778 invoked by uid 22791); 15 Jun 2011 23:04:57 -0000 X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 tests=AWL,BAYES_00,T_RP_MATCHES_RCVD X-Spam-Check-By: sourceware.org Received: from BACHE.ECE.CMU.EDU (HELO bache.ece.cmu.edu) (128.2.129.23) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Wed, 15 Jun 2011 23:04:44 +0000 Received: from [192.168.11.122] (car-host18.divanis.com [194.30.229.114]) by bache.ece.cmu.edu (Postfix) with ESMTP id 82160145 for ; Wed, 15 Jun 2011 19:04:43 -0400 (EDT) Message-ID: <4DF93A8F.8010003@ece.cmu.edu> Date: Wed, 15 Jun 2011 23:04:00 -0000 From: Ryan Johnson User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 MIME-Version: 1.0 To: cygwin@cygwin.com Subject: Re: Cygwin ssh vs NIPS References: <11457.95026.qm@web35305.mail.mud.yahoo.com> In-Reply-To: <11457.95026.qm@web35305.mail.mud.yahoo.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-IsSubscribed: yes Mailing-List: contact cygwin-help@cygwin.com; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: cygwin-owner@cygwin.com Mail-Followup-To: cygwin@cygwin.com X-SW-Source: 2011-06/txt/msg00176.txt.bz2 On 15/06/2011 4:09 PM, steve wrote: > I have been using Cygwin for several years to remotely manage my servers via ssh. In the last month our SiteProtector start killing my ssh connections. It is flagging it as a DOS. The specific NIPS rule is "ssh_ChallengeResponse_BO". > > "This signature looks at 32768 bytes of SSH connection traffic beginning 1024 bytes after the software version information has been exchanged. The signature fires when if finds 48 consecutive characters of ASCII data. The number of bytes is examine (pan.ssh.search.charcount) and the number of consecutive ASCII bytes to trigger the signature (pan.ssh.search.threshold) are user configurable." I had this happen once with an old Sun ssh -- turns out it was listing in the ssh preamble every language and locale it knew about, which turned out to be around 22k ascii char (!). I've never seen the problem with Cygwin before, though, and the network admin didn't tell me what he used to read the ssh preamble. That said, 48 chars seems a tad low are you at liberty to change it? Ryan -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple