Snort mailing list archives

Re: SSH Version Scan

From: Alexis <jakatsavras () gmail com>
Date: Wed, 12 Apr 2017 15:43:16 +0000

Thanks for the input Jason. I will have a look at the SIP rules.

As far as I can tell is that a SSH version scan with nmap gets the SSH
banner and then drops the TCP connection. No username or password are given
So I think I am am looking for a rule that sees the SSH banner (which i can
do) and that the TCP session is only say 3-4 packet (which I am not sure
how to do)

Thanks
Alexis



On Wed, 12 Apr 2017 at 15:12 Jason Hellenthal <jhellenthal () dataix net>
wrote:

Personally I would look into how detection for SIP works from NMAP and
dump the traffic the network from a live scan and formulate something like
the following with your specific to/from details.

flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19;
classtype:attempted-recon;


Though it may be just easier to rate limit the connection attempts by max
number of source connections and just blacklist them. Unless you are really
interested in the details of versioning attempts.

On Apr 12, 2017, at 08:20, Alexis <jakatsavras () gmail com> wrote:

Is there a way for Snort to detect a SSH version scan made on port 22?

scan can be done either using "nmap -p 22 -sV 192.168.1.1" OR on Kali

using

msf auxiliary(ssh_version)

I believe the below only works if the ssh scanner is scanssh.org

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH
Version map attempt"; flow:to_server,established;

content:"Version_Mapper";

fast_pattern:only; metadata:ruleset community; classtype:network-scan;
sid:1638; rev:9;)

Thanks
alexis

------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest

Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan Jason Hellenthal (Apr 12)
  - Re: SSH Version Scan Alexis (Apr 12)
    - Re: SSH Version Scan James Lay (Apr 13)