[Snort-sigs] Signature for scanning SSH versions

Christopher Lubrecht Christopher.Lubrecht at ...381...
Fri Jul 25 07:19:10 EDT 2003


I agree with the tagging suggestion.  Set the sig to something like..

alert tcp $HOME_NET 22 -> $EXTERNAL_NET  any (flags: A+; content: "SSH Secure Shell"; tag: session, 5, packets; msg: "Possible SSH scan";)

You should see a Fin (or RST)  packet within 5 packets of the string being passed.

If you want to automate all of the analysis work, write a simple script to check the flags of the packets and dump a line into your reporting
mechanism stating that it was a scan.  Cron the script to run once every fifteen minutes or so.

Scanssh (http://www.monkey.org/~provos/scanssh/) is nice enough to send an identifier right after it gets the banner, so you could write your sig to
look at that.....and the above will also work as right after the identifier, scanssh starts to end the connection.

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (flags: A+; content: "SSH_VERSION_MAPPER"; msg: "Scanssh Banner Grab Scan";)


Dump of scanssh v1.6b

08:35:49.537994 host1.22 > attacker.1028: P 1:50(49) ack 1 win 58400 (DF)
0x0000   4500 0059 b704 4000 4006 0000 1111 1111        E..Y.. at ...180...@.......
0x0010   1111 1111 0016 0404 cac2 7067 33fb 7e81        ..........pg3.~.
0x0020   5018 e420 ec14 0000 5353 482d 322e 302d        P.......SSH-2.0-
0x0030   332e 322e 3320 5353 4820 5365 6375 7265        3.2.3.SSH.Secure
0x0040   2053 6865 6c6c 2028 6e6f 6e2d 636f 6d6d        .Shell.(non-comm
0x0050   6572                                                               er

08:35:49.539594 attacker.1028 > host1.22: P 1:29(28) ack 50 win 17520 (DF)
0x0000   4500 0044 0369 4000 4006 4b82 1111 1111        E..D.i at ...180...@.K.....
0x0010   1111 1111 0404 0016 33fb 7e81 cac2 7098        ........3.~...p.
0x0020   5018 4470 270b 0000 5353 482d 312e 302d        P.Dp'...SSH-1.0-
0x0030   5353 485f 5665 7273 696f 6e5f 4d61 7070        SSH_Version_Mapp
0x0040   6572 0a00                                                   er..

08:35:49.539658 attacker.1028 > host1.22: F 29:29(0) ack 50 win 17520 (DF)
0x0000   4500 0028 036a 4000 4006 4b9d 1111 1111        E..(.j at ...180...@.K.....
0x0010   1111 1111 0404 0016 33fb 7e9d cac2 7098        ........3.~...p.
0x0020   5011 4470 8d8c 0000 0000 0000 0000                 P.Dp..........


Dump of telnet session to port 22 with a carriage return after the banner.

14:03:31.889433 1.1.1.1.22 > 2.2.2.2.1024: P 1:50(49) ack 1 win 58400 (DF)
0x0000   4500 0059 a2cd 4000 4006 0000 1111 1111        E..Y.. at ...180...@.......
0x0010    1111 1111 0016 0400 7132 046a a7ff 0e37        ........q2.j...7
0x0020   5018 e420 ec14 0000 5353 482d 322e 302d        P.......SSH-2.0-
0x0030   332e 322e 3320 5353 4820 5365 6375 7265        3.2.3.SSH.Secure
0x0040   2053 6865 6c6c 2028 6e6f 6e2d 636f 6d6d        .Shell.(non-comm
0x0050   6572                                                          er

14:03:31.985415 2.2.2.2.1024 > 1.1.1.1.22: . ack 50 win 17520 (DF) [tos 0x10]
0x0000   4510 0028 010c 4000 4006 4deb 1111 1111        E..(.. at ...180...@.M.....
0x0010   1111 1111 0400 0016 a7ff 0e37 7132 049b        ...........7q2..
0x0020   5010 4470 4f81 0000 0000 0000 0000             P.DpO.........

14:03:32.904109 2.2.2.2.1024 > 1.1.1.1.22: P 1:3(2) ack 50 win 17520 (DF) [tos 0x10]
0x0000   4510 002a 010d 4000 4006 4de8 1111 1111        E..*.. at ...180...@.M.....
0x0010   1111 1111 0400 0016 a7ff 0e37 7132 049b        ...........7q2..
0x0020   5018 4470 426d 0000 0d0a 7474 7474             P.DpBm....tttt

14:03:32.904214  1.1.1.1.22 > 2.2.2.2.1024: F 50:50(0) ack 3 win 58400 (DF)
0x0000   4500 0028 a2ce 4000 4006 0000 1111 1111        E..(.. at ...180...@.......
0x0010   1111 1111 0016 0400 7132 049b a7ff 0e39        ........q2.....9
0x0020   5011 e420 ebe3 0000                            P.......

14:03:32.904557 2.2.2.2.1024 > 1.1.1.1.22: . ack 51 win 17520 (DF) [tos 0x10]
0x0000   4510 0028 010f 4000 4006 4de8 1111 1111        E..(.. at ...180...@.M.....
0x0010   1111 1111 0400 0016 a7ff 0e39 7132 049c        ...........9q2..
0x0020   5010 4470 4f7e 0000 0000 0000 0000             P.DpO~........

14:03:32.904764 2.2.2.2.1024 > 1.1.1.1.22: F 3:3(0) ack 51 win 17520 (DF) [tos 0x10]
0x0000   4510 0028 0110 4000 4006 4de7 1111 1111        E..(.. at ...180...@.M.....
0x0010   1111 1111 0400 0016 a7ff 0e39 7132 049c        ...........9q2..
0x0020   5011 4470 4f7d 0000 0000 0000 0000             P.DpO}........



Christopher Lubrecht



                                                                                                                                                                                           
                      Jukka Juslin                                                                                                                                                         
                      <jtjuslin at ...1151...>         To:       snort-sigs at ...1708...sts.sourceforge.net                                                                                        
                      Sent by:                           cc:                                                                                                                               
                      snort-sigs-admin at ...551...        Subject:  Re: [Snort-sigs] Signature for scanning SSH versions                                                                    
                      ceforge.net                                                                                                                                                          
                                                                                                                                                                                           
                                                                                                                                                                                           
                      07/25/2003 03:44 AM                                                                                                                                                  
                                                                                                                                                                                           
                                                                                                                                                                                           





SSH request must have a signature somewhere. But after that it would
be important to detect, that 1) the connection was terminated instantly
after start 2) a threshold, say 10 hosts in scanned in 10 second.

Is that possible?

Thanks,
Jukka


On Thu, 24 Jul 2003, Wes Young wrote:

->doesnt an ssh request have a signature?? and shouldnt each version have a sig (something that you can find in a syn request)?? To nagociate (sp) the
ssh version?
->
->>>> Matt Kettler <mkettler at ...189...> 07/24 4:27 PM >>>
->At 07:38 PM 7/24/2003 +0200, Hugo van der Kooij wrote:
->>You can match the version info but not the probing as you need to check
->>the behaviour of packets after you trigger on the packet containing the
->>version info.
->>
->>To the best of my knowledge one can not write such signatures.
->>
->>Hugo
->
->Theoretically it might be possible using tagging, but tagged rules are a
->bit complicated to construct.
->
->
->
->-------------------------------------------------------
->This SF.Net email sponsored by: Free pre-built ASP.NET sites including
->Data Reports, E-commerce, Portals, and Forums are available now.
->Download today and enter to win an XBOX or Visual Studio .NET.
->http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
->_______________________________________________
->Snort-sigs mailing list
->Snort-sigs at lists.sourceforge.net
->https://lists.sourceforge.net/lists/listinfo/snort-sigs
->
->
->
->-------------------------------------------------------
->This SF.Net email sponsored by: Free pre-built ASP.NET sites including
->Data Reports, E-commerce, Portals, and Forums are available now.
->Download today and enter to win an XBOX or Visual Studio .NET.
->http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
->_______________________________________________
->Snort-sigs mailing list
->Snort-sigs at lists.sourceforge.net
->https://lists.sourceforge.net/lists/listinfo/snort-sigs
->

--
Jukka Juslin (M.Sc.)            "Teatterissa vallitsi täysi sekasorto.
http://www.cs.hut.fi/u/jtjuslin/ Toiset huusivat sitä, toiset tätä,
Jukka.Juslin at ...1150...              eivätkä useimmat edes tienneet
+ 358 40 520 9879                miksi oli kokoonnuttu." Apostolien teot 19:32


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs









More information about the Snort-sigs mailing list