No subject


Thu Nov 23 16:34:03 EST 2017


scanssh protocol scanner scans a list of addresses and networks for running
SSH protocol servers and their version numbers. scanssh protocol scanner
supports random selection of IP addresses from large network ranges and is
useful for gathering statistics on the deployment of SSH protocol servers in
a company or the Internet as whole.
(end quote)
--
Attack Scenarios:
Often used to find installs of OpenSSH pre-3.4, which are subject to gobbles
ssh exploit (bugtraq id 5093, snort sid 1810, 1811)
--
Ease of Attack:
Trivial
--
False Positives:
Unlikely
--
False Negatives:
The scanner is open-source.  It would be trivial to change the version
string in the code, bypassing this signature.
--
Corrective Action:
none
--
Contributors:
Steve Halligan
--
Additional References:

http://lists.jammed.com/incidents/2002/01/0174.html
http://lists.insecure.org/incidents/2001/Dec/0241.html
--
Packet Trace:
IPv4: 1.2.3.4 -> 5.6.7.8
      hlen=5 TOS=0 dlen=80 ID=63958 flags=2 offset=0 TTL=49 chksum=61897
TCP:  port=2356 -> dport: 22  flags=***AP*** seq=122065111
      ack=2394761865 off=8 res=0 win=32120 urp=0 chksum=29045
Payload:  length = 28

000 : 53 53 48 2D 31 2E 30 2D 53 53 48 5F 56 65 72 73   SSH-1.0-SSH_Vers
010 : 69 6F 6E 5F 4D 61 70 70 65 72 0A 00               ion_Mapper..




More information about the Snort-sigs mailing list