[Snort-sigs] SSH brute force attack sig

Matt Jonkman matt at ...2436...
Wed Jul 6 12:46:24 EDT 2005

Always looking to get you to chime in Brian. :)

The problem with portscan is acting on the info. For sites using
snortsam, flexresponse, inline, etc, you can't block or respond based on
portscan events. I can say this for sure with snortsam and flex, I
haven't played with inline to know for sure.

Hopefully this is changing in snort3?

Is this sig really a big resource user? I wouldn't think it so, can you

For others looking for more ways to detect ssh, look at Erik Fichtners
set of sigs to detect ssh on off ports using flowbits and banners. Very
very good sigs. I'll paste them below, but the full thing and docs are
in the bleeding snort POlicy ruleset:

to detect Non-standard port usage
alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSH
Server Banner Detected on Unusual Port"; flowbits:noalert; flow
: from_server,established; content:"SSH-"; offset: 0; depth: 4;
=,46,1,relative;flowbits: set,is_ssh_server_banner;
classtype:misc-activity; sid: 2001979; rev:5; )

alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH
Client Banner Detected on Unusual Port"; flowbits:noalert; flow
bits:isset,is_ssh_server_banner; flow: from_client,established;
content:"SSH-"; offset: 0; depth: 4; byte_test:1,>,48,0,relative;byt
e_test:1,<,51,0,relative;byte_test:1,=,46,1,relative; flowbits:
set,is_ssh_client_banner; classtype:misc-activity; sid: 2001980; rev
:6; )

alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2
Server KEX Detected on Unusual Port"; flowbits:isset,is_ssh_c
lient_banner; flowbits:noalert; flow: from_server,established;
byte_test:1,=,20,5;flowbits: set,is_ssh_server_kex; classtype:misc-ac
tivity; sid: 2001981; rev:5; )

alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2
Client KEX Detected on Unusual Port"; flowbits:noalert; flowb
its:isset,is_ssh_server_kex; flow: from_client,established;
byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; classtype:misc-acti
vity; sid: 2001982; rev:6; )

alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2
Client New Keys Detected on Unusual Port"; flowbits:isset,is_
ssh_client_kex; flowbits:noalert; flow: from_client,established;
byte_test:1,=,21,5; flowbits: set,is_proto_ssh; classtype:misc-acti
vity; sid: 2001983; rev:6; )

alert tcp any any <> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH
session in progress on Unusual Port"; flowbits: isset,is_proto_
ssh; threshold: type both, track by_src, count 2, seconds 300;
classtype:misc-activity; sid: 2001984; rev:4; )

bmc at ...95... wrote:
> On Wed, Jul 06, 2005 at 01:01:02PM -0500, Matt Jonkman wrote:
>>alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
>>Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
>>threshold: type threshold, track by_src, count 5, seconds 120;
>>classtype: suspicious-login; sid: 2001219; rev:10; )
>>We've tweaked this one to be near perfect.
> Heh.  Did you put "near perfect" in the message to get me to pipe up?
> Whats wrong with using sfportscan to detect this scan?  This "near
> perfect" rule implements a crude network scan detection at a fairly
> hefty cost to performance.
> Brian
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list