[Snort-users] SSH Version Scan

Jason Hellenthal jhellenthal at ...17831...
Wed Apr 12 10:11:46 EDT 2017

Personally I would look into how detection for SIP works from NMAP and dump the traffic the network from a live scan and formulate something like the following with your specific to/from details.

flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon;

Though it may be just easier to rate limit the connection attempts by max number of source connections and just blacklist them. Unless you are really interested in the details of versioning attempts.

> On Apr 12, 2017, at 08:20, Alexis <jakatsavras at ...11827...> wrote:
> Is there a way for Snort to detect a SSH version scan made on port 22?
> scan can be done either using "nmap -p 22 -sV" OR on Kali using
> msf auxiliary(ssh_version)
> I believe the below only works if the ssh scanner is scanssh.org
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH
> Version map attempt"; flow:to_server,established; content:"Version_Mapper";
> fast_pattern:only; metadata:ruleset community; classtype:network-scan;
> sid:1638; rev:9;)
> Thanks
> alexis
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list