[Snort-sigs] Signature for scanning SSH versions

Jon Hart warchild at ...288...
Fri Jul 25 07:43:16 EDT 2003


On Fri, Jul 25, 2003 at 09:00:37AM -0400, Christopher Lubrecht wrote:
> I agree with the tagging suggestion.  Set the sig to something like..
> 
> alert tcp $HOME_NET 22 -> $EXTERNAL_NET  any (flags: A+; content: "SSH
> Secure Shell"; tag: session, 5, packets; msg: "Possible SSH scan";)
> 
> You should see a Fin (or RST)  packet within 5 packets of the string
> being passed.
> 
> If you want to automate all of the analysis work, write a simple
> script to check the flags of the packets and dump a line into your
> reporting mechanism stating that it was a scan.  Cron the script to
> run once every fifteen minutes or so.
> 
> Scanssh (http://www.monkey.org/~provos/scanssh/) is nice enough to
> send an identifier right after it gets the banner, so you could write
> your sig to look at that.....and the above will also work as right
> after the identifier, scanssh starts to end the connection.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (flags: A+; content:
> "SSH_VERSION_MAPPER"; msg: "Scanssh Banner Grab Scan";)

See this (brief) thread for some more info on detecting ssh banners:

http://marc.theaimsgroup.com/?l=snort-sigs&m=104485074219764&w=2

Although there are clearly ways to get around it, I use it without any
problems.  That I know of, anyway.

Actually, there is already a rule for detecting scanssh:

http://www.snort.org/snort-db/sid.html?sid=1638

-jon





More information about the Snort-sigs mailing list