[Snort-sigs] Signature for scanning SSH versions

Matt Kettler mkettler at ...189...
Thu Jul 24 18:00:03 EDT 2003


At 08:37 PM 7/24/2003 -0400, Wes Young wrote:
>doesnt an ssh request have a signature?? and shouldnt each version have a 
>sig (something that you can find in a syn request)?? To nagociate (sp) the 
>ssh version?

Yes, but the version is ALWAYS reported.. in order to detect version 
scanning you'd need to detect that someone connected, and disconnected 
before logging in... hence the need for tagging.  You're looking for a 
time-based pattern of packets, not a pattern of data present in a single 
packet.





More information about the Snort-sigs mailing list