[Snort-sigs] Signature for scanning SSH versions

Jukka Juslin jtjuslin at ...1151...
Fri Jul 25 00:46:02 EDT 2003


SSH request must have a signature somewhere. But after that it would
be important to detect, that 1) the connection was terminated instantly
after start 2) a threshold, say 10 hosts in scanned in 10 second.

Is that possible?

Thanks,
Jukka


On Thu, 24 Jul 2003, Wes Young wrote:

->doesnt an ssh request have a signature?? and shouldnt each version have a sig (something that you can find in a syn request)?? To nagociate (sp) the ssh version?
->
->>>> Matt Kettler <mkettler at ...189...> 07/24 4:27 PM >>>
->At 07:38 PM 7/24/2003 +0200, Hugo van der Kooij wrote:
->>You can match the version info but not the probing as you need to check
->>the behaviour of packets after you trigger on the packet containing the
->>version info.
->>
->>To the best of my knowledge one can not write such signatures.
->>
->>Hugo
->
->Theoretically it might be possible using tagging, but tagged rules are a
->bit complicated to construct.
->
->
->
->-------------------------------------------------------
->This SF.Net email sponsored by: Free pre-built ASP.NET sites including
->Data Reports, E-commerce, Portals, and Forums are available now.
->Download today and enter to win an XBOX or Visual Studio .NET.
->http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
->_______________________________________________
->Snort-sigs mailing list
->Snort-sigs at lists.sourceforge.net
->https://lists.sourceforge.net/lists/listinfo/snort-sigs
->
->
->
->-------------------------------------------------------
->This SF.Net email sponsored by: Free pre-built ASP.NET sites including
->Data Reports, E-commerce, Portals, and Forums are available now.
->Download today and enter to win an XBOX or Visual Studio .NET.
->http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
->_______________________________________________
->Snort-sigs mailing list
->Snort-sigs at lists.sourceforge.net
->https://lists.sourceforge.net/lists/listinfo/snort-sigs
->

--
Jukka Juslin (M.Sc.)            "Teatterissa vallitsi täysi sekasorto.
http://www.cs.hut.fi/u/jtjuslin/ Toiset huusivat sitä, toiset tätä,
Jukka.Juslin at ...1150...              eivätkä useimmat edes tienneet
+ 358 40 520 9879                miksi oli kokoonnuttu." Apostolien teot 19:32




More information about the Snort-sigs mailing list