[Snort-users] Snort SSH Preprocessor configuration & alerts

Michał Malec malecmeister at ...11827...
Mon Apr 3 10:54:58 EDT 2017


Hi All,

I would like Snort to trigger the alert/ log information to the alert file when someone tries to connect to my SSH Server with version which is not supported.
In my virtual environment I have tried co connect to my Windows2003 Server using Kali Linux with command : ssh -1 10.214.0.13. from the same network [Kali Linux IP: 10.214.0.11].
I have configured my ssh preprocessor in a separate file (exploit2.txt) and run as below:


I have explicitly pointed the location of sf_ssh.dll file to enable ssh preprocessor( otherwise I receive the error when I am trying to run Snort).

Does SSH preprocessor automatically log the alerts when someone tries to log in to my machine using unsupported version of SSH? On the Server I am running Freesshd version 1.2.4( intentionally vulnerable to some exploits just for the testing purposes).
I can log in from Kali to Windows 2003 using ssh version 2 but I cannot receive any alerts in the alert.ids file.
I do not know what seems to be the problem. I have tried to write my own rule like this:




alert EXTERNAL_NET any -> HOME_NET 22 (msg:”Unsupported version in SSH Client detected”; sid: 100001;)


> preprocessor ssh: server_ports { 22 } \
> autodetect \
> max_client_bytes 19600 \
> max_encrypted_packets 20 \
> max_server_version_len 100 \
> enable_respoverflow enable_ssh1crc32 \
> enable_srvoverflow enable_protomismatch


but the alerts which I have received was not related to any options configured in the preprocessor ssh.
Which options for this particular preprocessor I can use? Are there any options for this preprocessor like for SSL preprocessor?- ssl_version, etc? I have already read in the Snort Manual file that “enable_protomismatch” is responsible for version mismatch between server and client, but how to trigger the alert and how to write the rule for it ?

I would be much appreciated for help because it seems I feel a little bit confused in this topic which seems to be pretty easy.
Actually I would like to also detect some exploits using the SSH Preprocessor but I wanted to start firstly with this simple example..

Thanks,
Mike


More information about the Snort-users mailing list