[Snort-sigs] Signature for scanning SSH versions

Hugo van der Kooij hvdkooij at ...481...
Thu Jul 24 10:39:19 EDT 2003

On Thu, 24 Jul 2003, Jukka Juslin wrote:

> Would is be possible to have a signature to capture SSH server version
> scanning? There is one signature in the rules package, but it doesn't
> really detect basic thing, when somebody just queries the SSH-XXXXX header
> and then exists.

You can not match this with a signature.

You can match the version info but not the probing as you need to check 
the behaviour of packets after you trigger on the packet containing the 
version info.

To the best of my knowledge one can not write such signatures.


 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.

More information about the Snort-sigs mailing list