Snort mailing list archives
Snort SSH Preprocessor configuration & alerts
From: Michał Malec <malecmeister () gmail com>
Date: Mon, 3 Apr 2017 15:54:58 +0100
Hi All, I would like Snort to trigger the alert/ log information to the alert file when someone tries to connect to my SSH Server with version which is not supported. In my virtual environment I have tried co connect to my Windows2003 Server using Kali Linux with command : ssh -1 10.214.0.13. from the same network [Kali Linux IP: 10.214.0.11]. I have configured my ssh preprocessor in a separate file (exploit2.txt) and run as below: I have explicitly pointed the location of sf_ssh.dll file to enable ssh preprocessor( otherwise I receive the error when I am trying to run Snort). Does SSH preprocessor automatically log the alerts when someone tries to log in to my machine using unsupported version of SSH? On the Server I am running Freesshd version 1.2.4( intentionally vulnerable to some exploits just for the testing purposes). I can log in from Kali to Windows 2003 using ssh version 2 but I cannot receive any alerts in the alert.ids file. I do not know what seems to be the problem. I have tried to write my own rule like this: alert EXTERNAL_NET any -> HOME_NET 22 (msg:”Unsupported version in SSH Client detected”; sid: 100001;)
preprocessor ssh: server_ports { 22 } \ autodetect \ max_client_bytes 19600 \ max_encrypted_packets 20 \ max_server_version_len 100 \ enable_respoverflow enable_ssh1crc32 \ enable_srvoverflow enable_protomismatch
but the alerts which I have received was not related to any options configured in the preprocessor ssh. Which options for this particular preprocessor I can use? Are there any options for this preprocessor like for SSL preprocessor?- ssl_version, etc? I have already read in the Snort Manual file that “enable_protomismatch” is responsible for version mismatch between server and client, but how to trigger the alert and how to write the rule for it ? I would be much appreciated for help because it seems I feel a little bit confused in this topic which seems to be pretty easy. Actually I would like to also detect some exploits using the SSH Preprocessor but I wanted to start firstly with this simple example.. Thanks, Mike ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort SSH Preprocessor configuration & alerts Michał Malec (Apr 03)