[Snort-sigs] OpenSSH // SSH detection rules?

Phillip G Deneault deneault at ...920...
Mon Dec 8 09:23:09 EST 2003

I have been using this rule for a while now and only get a few false 
positives a day.  Its very useful for detecting hacked linux/solaris boxes 
due to the fact that lots of rootkits install ssh(and old versions at 

For your use, just change the src port field to 'any' and you should be 

If anyone else has a better rule, or can make this one better, I'd love to 
see it.


alert tcp any !22 -> any any (msg:"SSH server banner non-22"; 
offset:0; depth:5; content:"-"; flow:established,from_server; 

On Mon, 8 Dec 2003, Tony Hernandez wrote:

> Hey guys, I have recently had an interest for policy reasons here to 
detect incoming SSH connections to any of my subnets. Since, the port may 
not be the default port (22) and it seems that I can't really tell which 
side the "OpenSSH-" banner is coming from is there another way to detect 
ssh sessions at the packet level? By any packet pattern challenge/response etc? 
> Is anyone using a rule like this and or a rule that can detect something like this with little FP's ? any examples for this would be greatly appreciated as always.
> Tony Hernandez
> University of Florida
> -------------------------------------------------------
> This SF.net email is sponsored by: IBM Linux Tutorials.
> Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
> Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
> Click now! http://ads.osdn.com/?ad_id78&alloc_id371&opÌk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Phil Deneault     "We work in the dark, We do what we can,
deneault at ...919...   We give what we have. Our doubt is our passion,
WPI NetOps         and our passion is our task. The rest is the
InfoSec            madness of art." - Henry James

More information about the Snort-sigs mailing list