[Snort-sigs] Sig to catch rogue SSH servers

Jon warchild at ...288...
Sun Feb 9 20:01:01 EST 2003


Greetings,

I'm using the following rule to catch rogue SSH servers that are typically
installed after a compromise.  Typically, they run on ports other than 22
and are frequently backdoored.

This simply looks for a packet that is likely to be a SSH server
identifying itself.  According to the RFC [1], a SSH server must identify
itself.  The common part of this identification is "SSH-" at the beginning
of the payload.  To reduce false positives, I've restricted it to packets
with a payload less than 50 bytes.

Of all SSH identification strings, the longest one I found was this:

SSH-2.0-OpenSSH_3.5p1 Debian 1:3.5p1-4

I'm pretty happy with it so far, and it even made me discover that a box on
our network runs SSH on some high "administrative" port.  Its a good thing
thats not documented.  *fumes*

Anyway, here it is:

alert tcp $HOME_NET !22 -> $EXTERNAL_NET any (msg:"SSH on non-standard
port"; flow:from_server,established; content:"SSH-"; depth:4; dsize:<50;
classtype:bad-unknown; sid:100003;) 

-jon


[1]
http://www.ietf.org/internet-drafts/draft-ietf-secsh-transport-15.txt




More information about the Snort-sigs mailing list