[Snort-sigs] sid:617 usage requested.

Matt Kettler mkettler at ...189...
Thu Jan 17 14:24:03 EST 2002

I can't say exactly why it is looking for that specific byte pattern, but 
I'd strongly suspect it is a pattern generated by the scanssh tool that 
normal SSH clients do not generate. I suspect the SSH security scanner has 
many simplifications of the SSH protocol and this signature probably picks 
up on this. (ie: the scanner probably has no need to provide strong random 
numbers for the encryption layer.. it is just looking to get the version 
string and disconnect.)

I'm not sufficiently fluent in the breakdown of SSH protocol packets to 
know exactly what this packet bit is exactly, but If you're really that 
curious, download the scanssh code and observe what it does with tcpdump..


At 03:55 PM 1/17/2002 -0500, Brian wrote:
>According to James:
> > > I am also wading through the signatures trying to document them.  This
> > > is a head scratchre.
> > >
> >
> > http://www.google.com/search?q=ssh+research+scanner&btnG=Google+Search
>Thanks for the incredibly useful information.
>did you read the signature?
>Nothing from that google search explains what the content looking for
>and why.  (content:"|00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00|";)
>Remember - if all you have is an axe, every problem looks like hours of fun.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list