(spp_ssh) Challenge-Response Overflow exploit
The rule triggers when an attempt is made to exploit an overflow vulnerability in the challenge-response mechanism of SSH. An overflow vulnerability in this context suggests that an attacker is trying to send data that exceeds the allocated buffer size, potentially leading to arbitrary code execution or other security compromises.
ID Number
9000021
Signature
-
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
If this alerts is popping many times as a false positive it can be disabled. The alert indicates a potential exploitation attempt targeting an SSH server. It's important to identifying the source, and implementing appropriate security measures to protect the system, Like block in the FW and run a anti virus scan on the targeted server. This might involve analyzing network traffic, examining system logs, and patching or updating the SSH server software to address the vulnerability.