[Snort-sigs] Signature for scanning SSH versions

Matt Kettler mkettler at ...189...
Mon Jul 28 07:16:04 EDT 2003

Congratulations, you just summarized the entire point of my two emails as 
if you never read them.

You are correct, it requires detection of the instant disconnect.

And, as I said originally, you might be able to get the time-based behavior 
by using the tagging feature of SA, but tagging is a relatively new and 
fairly complicated feature. I've not used it yet, but that's where I'd 
start looking.

At 10:44 AM 7/25/2003 +0300, Jukka Juslin wrote:

>SSH request must have a signature somewhere. But after that it would
>be important to detect, that 1) the connection was terminated instantly
>after start 2) a threshold, say 10 hosts in scanned in 10 second.
>Is that possible?
>On Thu, 24 Jul 2003, Wes Young wrote:
>->doesnt an ssh request have a signature?? and shouldnt each version have 
>a sig (something that you can find in a syn request)?? To nagociate (sp) 
>the ssh version?
>->>>> Matt Kettler <mkettler at ...189...> 07/24 4:27 PM >>>
>->At 07:38 PM 7/24/2003 +0200, Hugo van der Kooij wrote:
>->>You can match the version info but not the probing as you need to check
>->>the behaviour of packets after you trigger on the packet containing the
>->>version info.
>->>To the best of my knowledge one can not write such signatures.
>->Theoretically it might be possible using tagging, but tagged rules are a
>->bit complicated to construct.

More information about the Snort-sigs mailing list