[Snort-sigs] sid:617 usage requested.
mkettler at ...189...
Thu Jan 17 14:24:03 EST 2002
I can't say exactly why it is looking for that specific byte pattern, but
I'd strongly suspect it is a pattern generated by the scanssh tool that
normal SSH clients do not generate. I suspect the SSH security scanner has
many simplifications of the SSH protocol and this signature probably picks
up on this. (ie: the scanner probably has no need to provide strong random
numbers for the encryption layer.. it is just looking to get the version
string and disconnect.)
I'm not sufficiently fluent in the breakdown of SSH protocol packets to
know exactly what this packet bit is exactly, but If you're really that
curious, download the scanssh code and observe what it does with tcpdump..
At 03:55 PM 1/17/2002 -0500, Brian wrote:
>According to James:
> > > I am also wading through the signatures trying to document them. This
> > > is a head scratchre.
> > >
> > http://www.google.com/search?q=ssh+research+scanner&btnG=Google+Search
>Thanks for the incredibly useful information.
>did you read the signature?
>Nothing from that google search explains what the content looking for
>and why. (content:"|00 00 00 60 00 00 00 00 00 00 00 00 01 00 00 00|";)
>Remember - if all you have is an axe, every problem looks like hours of fun.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs