[Snort-users] Rules for ssh exploit

Fyodor fygrave at ...121...
Mon Nov 12 02:50:02 EST 2001


On Mon, Nov 12, 2001 at 10:57:15AM +0100, Ralf Hildebrandt wrote:
> On Fri, Nov 02, 2001 at 04:34:57PM +1300, Russell Fulton wrote:
> 
> > 	Does any one have snort rules for detecting the recent spate of 
> > ssh attacks or are all the usable fingerprints hidden by the encryption?
> 
> http://staff.washington.edu/dittrich/misc/ssh-analysis.txt
> 

It is actually quite hard to catch ssh exploit attempt with simple
pkt-matching signature. IMHO this is the place where definetely a
protocol analysis would make more sense. Different exploits that I have
seen, look quite different from network layer perspective..




More information about the Snort-users mailing list