[Snort-sigs] Sig to catch rogue SSH servers
warchild at ...288...
Sun Feb 9 20:01:01 EST 2003
I'm using the following rule to catch rogue SSH servers that are typically
installed after a compromise. Typically, they run on ports other than 22
and are frequently backdoored.
This simply looks for a packet that is likely to be a SSH server
identifying itself. According to the RFC , a SSH server must identify
itself. The common part of this identification is "SSH-" at the beginning
of the payload. To reduce false positives, I've restricted it to packets
with a payload less than 50 bytes.
Of all SSH identification strings, the longest one I found was this:
SSH-2.0-OpenSSH_3.5p1 Debian 1:3.5p1-4
I'm pretty happy with it so far, and it even made me discover that a box on
our network runs SSH on some high "administrative" port. Its a good thing
thats not documented. *fumes*
Anyway, here it is:
alert tcp $HOME_NET !22 -> $EXTERNAL_NET any (msg:"SSH on non-standard
port"; flow:from_server,established; content:"SSH-"; depth:4; dsize:<50;
More information about the Snort-sigs