By default, all alerts are disabled and the preprocessor checks traffic on port 22.
The available configuration options are described below.
port
port![$> <...>] \}$](img8.png)
This option specifies which ports the SSH preprocessor should inspect traffic to.
number 
The number of encrypted packets that Snort will inspect before ignoring a given SSH session. The SSH vulnerabilities that Snort can detect all happen at the very beginning of an SSH session. Once max_encrypted_packets packets have been seen, Snort ignores the session to increase performance. The default is set to 25. This value can be set from 0 to 65535.
number
The number of unanswered bytes allowed to be transferred before alerting on Challenge-Response Overflow or CRC 32. This number must be hit before max_encrypted_packets packets are sent, or else Snort will ignore the traffic. The default is set to 19600. This value can be set from 0 to 65535.
number
The maximum number of bytes allowed in the SSH server version string before alerting on the Secure CRT server version string overflow. The default is set to 80. This value can be set from 0 to 255.
Attempt to automatically detect SSH.
Enables checking for the Challenge-Response Overflow exploit.
Enables checking for the CRC 32 exploit.
Enables checking for the Secure CRT exploit.
Enables checking for the Protocol Mismatch exploit.
Enable alerts for traffic flowing the wrong direction. For instance, if the presumed server generates client traffic, or if a client generates server traffic.
Enables alerts for invalid payload sizes.
Enable alerts for non-SSH traffic on SSH ports.
The SSH preprocessor should work by default. After max_encrypted_packets is reached, the preprocessor will stop processing traffic for a given session. If Challenge-Response Overflow or CRC 32 false positive, try increasing the number of required client bytes with max_client_bytes.