[Snort-sigs] Sig to catch rogue SSH servers

James Hoagland jim at ...80...
Thu Feb 13 06:00:14 EST 2003

At 11:00 PM -0500 2/9/03, Jon wrote:
>This simply looks for a packet that is likely to be a SSH server
>identifying itself.  According to the RFC [1], a SSH server must identify
>itself.  The common part of this identification is "SSH-" at the beginning
>of the payload.  To reduce false positives, I've restricted it to packets
>with a payload less than 50 bytes.

Of course, it is easy to evade this signature by not following the 
convention or by having a long id string (and this is something that 
is trivial for an attacker to change).  It'll work most of the time 

You might consider using Spade 
(http://www.silicondefense.com/software/spice/) to find rogue 
servers.  See the post I just made to snort-users in response to 
someone wanting to detect warez servers:


Best regards,


|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim at ...80..., http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|

More information about the Snort-sigs mailing list