Mail Archives: cygwin/2011/06/15/19:05:10

delorie.com/archives/browse.cgi

search

Mail Archives: cygwin/2011/06/15/19:05:10

X-Recipient: archive-cygwin AT delorie DOT com

X-SWARE-Spam-Status: No, hits=-1.4 required=5.0 tests=AWL,BAYES_00,T_RP_MATCHES_RCVD

X-Spam-Check-By: sourceware.org

Message-ID: <4DF93A8F.8010003@ece.cmu.edu>

Date: Thu, 16 Jun 2011 02:04:47 +0300

From: Ryan Johnson <ryanjohn AT ece DOT cmu DOT edu>

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10

MIME-Version: 1.0

To: cygwin AT cygwin DOT com

Subject: Re: Cygwin ssh vs NIPS

References: <11457 DOT 95026 DOT qm AT web35305 DOT mail DOT mud DOT yahoo DOT com>

In-Reply-To: <11457.95026.qm@web35305.mail.mud.yahoo.com>

X-IsSubscribed: yes

Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm

List-Id: <cygwin.cygwin.com>

List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>

List-Archive: <http://sourceware.org/ml/cygwin/>

List-Post: <mailto:cygwin AT cygwin DOT com>

List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>

Sender: cygwin-owner AT cygwin DOT com

Mail-Followup-To: cygwin AT cygwin DOT com

Delivered-To: mailing list cygwin AT cygwin DOT com

On 15/06/2011 4:09 PM, steve wrote:
> I have been using Cygwin for several years to remotely manage my servers via ssh.  In the last month our SiteProtector start killing my ssh connections.  It is flagging it as a DOS.  The specific NIPS rule is "ssh_ChallengeResponse_BO".
>
> "This signature looks at 32768 bytes of SSH connection traffic beginning 1024 bytes after the software version information has been exchanged.  The signature fires when if finds 48 consecutive characters of ASCII data.  The number of bytes is examine (pan.ssh.search.charcount) and the number of consecutive ASCII bytes to trigger the signature (pan.ssh.search.threshold) are user configurable."
I had this happen once with an old Sun ssh -- turns out it was listing 
in the ssh preamble every language and locale it knew about, which 
turned out to be around 22k ascii char (!). I've never seen the problem 
with Cygwin before, though, and the network admin didn't tell me what he 
used to read the ssh preamble.

That said, 48 chars seems a tad low are you at liberty to change it?

Ryan


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

- Raw text -

webmaster	delorie software privacy
Copyright © 2019 by DJ Delorie	Updated Jul 2019

X-Recipient:	archive-cygwin AT delorie DOT com
X-SWARE-Spam-Status:	No, hits=-1.4 required=5.0 tests=AWL,BAYES_00,T_RP_MATCHES_RCVD
X-Spam-Check-By:	sourceware.org
Message-ID:	<4DF93A8F.8010003@ece.cmu.edu>
Date:	Thu, 16 Jun 2011 02:04:47 +0300
From:	Ryan Johnson <ryanjohn AT ece DOT cmu DOT edu>
User-Agent:	Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version:	1.0
To:	cygwin AT cygwin DOT com
Subject:	Re: Cygwin ssh vs NIPS
References:	<11457 DOT 95026 DOT qm AT web35305 DOT mail DOT mud DOT yahoo DOT com>
In-Reply-To:	<11457.95026.qm@web35305.mail.mud.yahoo.com>
X-IsSubscribed:	yes
Mailing-List:	contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id:	<cygwin.cygwin.com>
List-Subscribe:	<mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive:	<http://sourceware.org/ml/cygwin/>
List-Post:	<mailto:cygwin AT cygwin DOT com>
List-Help:	<mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender:	cygwin-owner AT cygwin DOT com
Mail-Followup-To:	cygwin AT cygwin DOT com
Delivered-To:	mailing list cygwin AT cygwin DOT com