[Snort-sigs] Signature for scanning SSH versions
Hugo van der Kooij
hvdkooij at ...481...
Thu Jul 24 10:39:19 EDT 2003
On Thu, 24 Jul 2003, Jukka Juslin wrote:
> Would is be possible to have a signature to capture SSH server version
> scanning? There is one signature in the rules package, but it doesn't
> really detect basic thing, when somebody just queries the SSH-XXXXX header
> and then exists.
You can not match this with a signature.
You can match the version info but not the probing as you need to check
the behaviour of packets after you trigger on the packet containing the
To the best of my knowledge one can not write such signatures.
All email sent to me is bound to the rules described on my homepage.
hvdkooij at ...481... http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
More information about the Snort-sigs