[Snort-sigs] sid:617 usage requested.

Steve Halligan agent33 at ...22...
Thu Jan 17 09:31:05 EST 2002

> I am also wading through the signatures trying to document them.  This
> is a head scratchre.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN 
> ssh-research-scanner"; flags: A+; content:"|00 00 00 60 00 00 
> 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; 
> sid:617; rev:1;)
> Anyone know what this is, what its looking for, and where I can find
> information about it?

I bet this is it:

FROM http://openbsd.appli.se/openssh/history.html
Scanning SSH Server Versions
To facilitate the monitoring of deployed SSH servers, e.g. for a company
network, Niels Provos wrote the scanssh tool. scanssh scans a list of
addresses and networks for running SSH servers and their version numbers. It
supports random selection of IP addresses from large network ranges and is
useful for gathering statistics on the use of SSH servers in a company or
the Internet as whole. The statistics include the SSH protocol supported,
and the software versions that are being used. 
scanssh is being used by the SSH Research Scanner at the University of
Alberta to gather statistics about the deployment and use of the SSH
protocol on the Internet. The measurements allow insights into the
distribution of the different SSH protocols and the market penetration of
particular server versions 

More information about the Snort-sigs mailing list