[Snort-sigs] Signature for scanning SSH versions

Jon Hart warchild at ...288...
Fri Jul 25 07:43:16 EDT 2003

On Fri, Jul 25, 2003 at 09:00:37AM -0400, Christopher Lubrecht wrote:
> I agree with the tagging suggestion.  Set the sig to something like..
> alert tcp $HOME_NET 22 -> $EXTERNAL_NET  any (flags: A+; content: "SSH
> Secure Shell"; tag: session, 5, packets; msg: "Possible SSH scan";)
> You should see a Fin (or RST)  packet within 5 packets of the string
> being passed.
> If you want to automate all of the analysis work, write a simple
> script to check the flags of the packets and dump a line into your
> reporting mechanism stating that it was a scan.  Cron the script to
> run once every fifteen minutes or so.
> Scanssh (http://www.monkey.org/~provos/scanssh/) is nice enough to
> send an identifier right after it gets the banner, so you could write
> your sig to look at that.....and the above will also work as right
> after the identifier, scanssh starts to end the connection.
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (flags: A+; content:
> "SSH_VERSION_MAPPER"; msg: "Scanssh Banner Grab Scan";)

See this (brief) thread for some more info on detecting ssh banners:


Although there are clearly ways to get around it, I use it without any
problems.  That I know of, anyway.

Actually, there is already a rule for detecting scanssh:



More information about the Snort-sigs mailing list