[Snort-sigs] OpenSSH // SSH detection rules?
Phillip G Deneault
deneault at ...920...
Mon Dec 8 09:23:09 EST 2003
I have been using this rule for a while now and only get a few false
positives a day. Its very useful for detecting hacked linux/solaris boxes
due to the fact that lots of rootkits install ssh(and old versions at
For your use, just change the src port field to 'any' and you should be
If anyone else has a better rule, or can make this one better, I'd love to
alert tcp any !22 -> any any (msg:"SSH server banner non-22";
offset:0; depth:5; content:"-"; flow:established,from_server;
On Mon, 8 Dec 2003, Tony Hernandez wrote:
> Hey guys, I have recently had an interest for policy reasons here to
detect incoming SSH connections to any of my subnets. Since, the port may
not be the default port (22) and it seems that I can't really tell which
side the "OpenSSH-" banner is coming from is there another way to detect
ssh sessions at the packet level? By any packet pattern challenge/response etc?
> Is anyone using a rule like this and or a rule that can detect something like this with little FP's ? any examples for this would be greatly appreciated as always.
> Tony Hernandez
> University of Florida
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
> Free Linux Tutorials. Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&opÌk
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
Phil Deneault "We work in the dark, We do what we can,
deneault at ...919... We give what we have. Our doubt is our passion,
WPI NetOps and our passion is our task. The rest is the
InfoSec madness of art." - Henry James
More information about the Snort-sigs