Thu Nov 23 16:34:03 EST 2017
scanssh protocol scanner scans a list of addresses and networks for running
SSH protocol servers and their version numbers. scanssh protocol scanner
supports random selection of IP addresses from large network ranges and is
useful for gathering statistics on the deployment of SSH protocol servers in
a company or the Internet as whole.
Often used to find installs of OpenSSH pre-3.4, which are subject to gobbles
ssh exploit (bugtraq id 5093, snort sid 1810, 1811)
Ease of Attack:
The scanner is open-source. It would be trivial to change the version
string in the code, bypassing this signature.
IPv4: 22.214.171.124 -> 126.96.36.199
hlen=5 TOS=0 dlen=80 ID=63958 flags=2 offset=0 TTL=49 chksum=61897
TCP: port=2356 -> dport: 22 flags=***AP*** seq=122065111
ack=2394761865 off=8 res=0 win=32120 urp=0 chksum=29045
Payload: length = 28
000 : 53 53 48 2D 31 2E 30 2D 53 53 48 5F 56 65 72 73 SSH-1.0-SSH_Vers
010 : 69 6F 6E 5F 4D 61 70 70 65 72 0A 00 ion_Mapper..
More information about the Snort-sigs