[Snort-sigs] Signature for scanning SSH versions
mkettler at ...189...
Mon Jul 28 07:16:04 EDT 2003
Congratulations, you just summarized the entire point of my two emails as
if you never read them.
You are correct, it requires detection of the instant disconnect.
And, as I said originally, you might be able to get the time-based behavior
by using the tagging feature of SA, but tagging is a relatively new and
fairly complicated feature. I've not used it yet, but that's where I'd
At 10:44 AM 7/25/2003 +0300, Jukka Juslin wrote:
>SSH request must have a signature somewhere. But after that it would
>be important to detect, that 1) the connection was terminated instantly
>after start 2) a threshold, say 10 hosts in scanned in 10 second.
>Is that possible?
>On Thu, 24 Jul 2003, Wes Young wrote:
>->doesnt an ssh request have a signature?? and shouldnt each version have
>a sig (something that you can find in a syn request)?? To nagociate (sp)
>the ssh version?
>->>>> Matt Kettler <mkettler at ...189...> 07/24 4:27 PM >>>
>->At 07:38 PM 7/24/2003 +0200, Hugo van der Kooij wrote:
>->>You can match the version info but not the probing as you need to check
>->>the behaviour of packets after you trigger on the packet containing the
>->>To the best of my knowledge one can not write such signatures.
>->Theoretically it might be possible using tagging, but tagged rules are a
>->bit complicated to construct.
More information about the Snort-sigs