No subject

Thu Nov 23 16:34:03 EST 2017

last fall i modified niels provos' scanssh tool [1] to also connect to
ports 23/tcp and 513/tcp (telnet and rsh, respectively) on the target
hosts. i then used this modified scanssh and scanned a subnet i had access
to (a /16) and generated some results which i shared with the network
(end quote)
Attack Scenarios:
Often used to find installs of OpenSSH pre-3.4, which are subject to gobbles
ssh exploit (bugtraq id 5093, snort sid 1810, 1811)
Ease of Attack:
False Positives:
False Negatives:
The scanner is open-source.  It would be trivial to change the version
string in the code, bypassing this signature.
Corrective Action:
Steve Halligan
Additional References:

More information about the Snort-sigs mailing list