[Snort-users] SSH Version Scan

Alexis jakatsavras at ...11827...
Wed Apr 12 11:43:16 EDT 2017


Thanks for the input Jason. I will have a look at the SIP rules.

As far as I can tell is that a SSH version scan with nmap gets the SSH
banner and then drops the TCP connection. No username or password are given
So I think I am am looking for a rule that sees the SSH banner (which i can
do) and that the TCP session is only say 3-4 packet (which I am not sure
how to do)

Thanks
Alexis



On Wed, 12 Apr 2017 at 15:12 Jason Hellenthal <jhellenthal at ...17831...>
wrote:

> Personally I would look into how detection for SIP works from NMAP and
> dump the traffic the network from a live scan and formulate something like
> the following with your specific to/from details.
>
> flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19;
> classtype:attempted-recon;
>
>
> Though it may be just easier to rate limit the connection attempts by max
> number of source connections and just blacklist them. Unless you are really
> interested in the details of versioning attempts.
>
>
>
>
> > On Apr 12, 2017, at 08:20, Alexis <jakatsavras at ...11827...> wrote:
> >
> > Is there a way for Snort to detect a SSH version scan made on port 22?
> >
> > scan can be done either using "nmap -p 22 -sV 192.168.1.1" OR on Kali
> using
> > msf auxiliary(ssh_version)
> >
> > I believe the below only works if the ssh scanner is scanssh.org
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH
> > Version map attempt"; flow:to_server,established;
> content:"Version_Mapper";
> > fast_pattern:only; metadata:ruleset community; classtype:network-scan;
> > sid:1638; rev:9;)
> >
> > Thanks
> > alexis
> >
> ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>



More information about the Snort-users mailing list