[Snort-users] SSH Version Scan

James Lay jlay at ...13475...
Thu Apr 13 08:08:13 EDT 2017


alert tcp any any -> any 22 (msg:"INDICATOR-SCAN Nmap SSH Version map
attempt"; flow:established; content:"nmap"; fast_pattern:only;
classtype:network-scan; sid:9999998; rev:1;)
04/12-14:06:37.663608  [**] [1:9999998:1] INDICATOR-SCAN Nmap SSH
Version map attempt [**] [Classification: Detection of a Network Scan]
[Priority: 3] {TCP} 192.168.1.253:51568 -> 192.168.1.7:22

04/12-14:06:37.663608 00:22:41:33:12:B2 -> 00:1F:F3:46:62:CA type:0x800
len:0x5D192.168.1.253:51568 -> 192.168.1.7:22 TCP TTL:64 TOS:0x0
ID:51982 IpLen:20 DgmLen:79 DF***AP*** Seq: 0xFE2C4827  Ack:
0x3F577223  Win: 0xE5  TcpLen: 32TCP Options (3) => NOP NOP TS:
126386992 255977148 53 53 48 2D 31 2E 35 2D 4E 6D 61 70 2D 53 53
48  SSH-1.5-Nmap-SSH31 2D 48 6F 73 74 6B 65 79 0D 0A                 1-
Hostkey..

Won't help with clowns using telnet and reseting the connection though.
James
On Wed, 2017-04-12 at 15:43 +0000, Alexis wrote:
> Thanks for the input Jason. I will have a look at the SIP rules.
> 
> As far as I can tell is that a SSH version scan with nmap gets the
> SSH
> banner and then drops the TCP connection. No username or password are
> given
> So I think I am am looking for a rule that sees the SSH banner (which
> i can
> do) and that the TCP session is only say 3-4 packet (which I am not
> sure
> how to do)
> 
> Thanks
> Alexis
> 
> 
> 
> On Wed, 12 Apr 2017 at 15:12 Jason Hellenthal <jhellenthal at ...17831...
> >
> wrote:
> 
> > 
> > Personally I would look into how detection for SIP works from NMAP
> > and
> > dump the traffic the network from a live scan and formulate
> > something like
> > the following with your specific to/from details.
> > 
> > flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/";
> > depth:19;
> > classtype:attempted-recon;
> > 
> > 
> > Though it may be just easier to rate limit the connection attempts
> > by max
> > number of source connections and just blacklist them. Unless you
> > are really
> > interested in the details of versioning attempts.
> > 
> > 
> > 
> > 
> > > 
> > > On Apr 12, 2017, at 08:20, Alexis <jakatsavras at ...11827...> wrote:
> > > 
> > > Is there a way for Snort to detect a SSH version scan made on
> > > port 22?
> > > 
> > > scan can be done either using "nmap -p 22 -sV 192.168.1.1" OR on
> > > Kali
> > using
> > > 
> > > msf auxiliary(ssh_version)
> > > 
> > > I believe the below only works if the ssh scanner is scanssh.org
> > > 
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN
> > > SSH
> > > Version map attempt"; flow:to_server,established;
> > content:"Version_Mapper";
> > > 
> > > fast_pattern:only; metadata:ruleset community; classtype:network-
> > > scan;
> > > sid:1638; rev:9;)
> > > 
> > > Thanks
> > > alexis
> > > 
> > -----------------------------------------------------------------
> > -------------
> > > 
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > https://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-use
> > > rs
> > > 
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest
> > Snort news!
> > 
> > 
> -------------------------------------------------------------------
> -----------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!


More information about the Snort-users mailing list