[Snort-sigs] sid:617 usage requested.

Steve Halligan agent33 at ...22...
Thu Jan 17 13:58:11 EST 2002

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN
ssh-research-scanner"; flags: A+; content:"|00 00 00 60 00 00 00 00 00 00 00
00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:1;)

I took the time to install sshscan (serveral different versions actually)
and the content from the above rule does not show up anywhere in a packet
dump of the scan.  Now it is possible that the SSH Research Scanner (now
defunct) from University of Alberta used an altered form of the scanner that
did have the above in the payload.  

> I bet this is it:
> FROM http://openbsd.appli.se/openssh/history.html
> Scanning SSH Server Versions
> To facilitate the monitoring of deployed SSH servers, e.g. 
> for a company
> network, Niels Provos wrote the scanssh tool. scanssh scans a list of
> addresses and networks for running SSH servers and their 
> version numbers. It
> supports random selection of IP addresses from large network 
> ranges and is
> useful for gathering statistics on the use of SSH servers in 
> a company or
> the Internet as whole. The statistics include the SSH 
> protocol supported,
> and the software versions that are being used. 
> scanssh is being used by the SSH Research Scanner at the University of
> Alberta to gather statistics about the deployment and use of the SSH
> protocol on the Internet. The measurements allow insights into the
> distribution of the different SSH protocols and the market 
> penetration of
> particular server versions 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list