Snort SSH Preprocessor configuration & alerts

[Michał Malec <malecmeister () gmail com>]

Hi All,

I would like Snort to trigger the alert/ log information to the alert file when someone tries to connect to my SSH 
Server with version which is not supported.
In my virtual environment I have tried co connect to my Windows2003 Server using Kali Linux with command : ssh -1 
10.214.0.13. from the same network [Kali Linux IP: 10.214.0.11].
I have configured my ssh preprocessor in a separate file (exploit2.txt) and run as below:


I have explicitly pointed the location of sf_ssh.dll file to enable ssh preprocessor( otherwise I receive the error 
when I am trying to run Snort).

Does SSH preprocessor automatically log the alerts when someone tries to log in to my machine using unsupported version 
of SSH? On the Server I am running Freesshd version 1.2.4( intentionally vulnerable to some exploits just for the 
testing purposes).
I can log in from Kali to Windows 2003 using ssh version 2 but I cannot receive any alerts in the alert.ids file.
I do not know what seems to be the problem. I have tried to write my own rule like this:




alert EXTERNAL_NET any -> HOME_NET 22 (msg:”Unsupported version in SSH Client detected”; sid: 100001;)


> preprocessor ssh: server_ports { 22 } \
> autodetect \
> max_client_bytes 19600 \
> max_encrypted_packets 20 \
> max_server_version_len 100 \
> enable_respoverflow enable_ssh1crc32 \
> enable_srvoverflow enable_protomismatch


but the alerts which I have received was not related to any options configured in the preprocessor ssh.
Which options for this particular preprocessor I can use? Are there any options for this preprocessor like for SSL 
preprocessor?- ssl_version, etc? I have already read in the Snort Manual file that “enable_protomismatch” is 
responsible for version mismatch between server and client, but how to trigger the alert and how to write the rule for 
it ?

I would be much appreciated for help because it seems I feel a little bit confused in this topic which seems to be 
pretty easy.
Actually I would like to also detect some exploits using the SSH Preprocessor but I wanted to start firstly with this 
simple example..

Thanks,
Mike
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!