[Snort-sigs] Signature for scanning SSH versions

Matt Kettler mkettler at ...189...
Thu Jul 24 13:28:12 EDT 2003

At 07:38 PM 7/24/2003 +0200, Hugo van der Kooij wrote:
>You can match the version info but not the probing as you need to check
>the behaviour of packets after you trigger on the packet containing the
>version info.
>To the best of my knowledge one can not write such signatures.

Theoretically it might be possible using tagging, but tagged rules are a 
bit complicated to construct. 

More information about the Snort-sigs mailing list