Snort mailing list archives
Re: SSH Version Scan
From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 13 Apr 2017 06:08:13 -0600
alert tcp any any -> any 22 (msg:"INDICATOR-SCAN Nmap SSH Version map attempt"; flow:established; content:"nmap"; fast_pattern:only; classtype:network-scan; sid:9999998; rev:1;) 04/12-14:06:37.663608 [**] [1:9999998:1] INDICATOR-SCAN Nmap SSH Version map attempt [**] [Classification: Detection of a Network Scan] [Priority: 3] {TCP} 192.168.1.253:51568 -> 192.168.1.7:22 04/12-14:06:37.663608 00:22:41:33:12:B2 -> 00:1F:F3:46:62:CA type:0x800 len:0x5D192.168.1.253:51568 -> 192.168.1.7:22 TCP TTL:64 TOS:0x0 ID:51982 IpLen:20 DgmLen:79 DF***AP*** Seq: 0xFE2C4827 Ack: 0x3F577223 Win: 0xE5 TcpLen: 32TCP Options (3) => NOP NOP TS: 126386992 255977148 53 53 48 2D 31 2E 35 2D 4E 6D 61 70 2D 53 53 48 SSH-1.5-Nmap-SSH31 2D 48 6F 73 74 6B 65 79 0D 0A 1- Hostkey.. Won't help with clowns using telnet and reseting the connection though. James On Wed, 2017-04-12 at 15:43 +0000, Alexis wrote:
Thanks for the input Jason. I will have a look at the SIP rules. As far as I can tell is that a SSH version scan with nmap gets the SSH banner and then drops the TCP connection. No username or password are given So I think I am am looking for a rule that sees the SSH banner (which i can do) and that the TCP session is only say 3-4 packet (which I am not sure how to do) Thanks Alexis On Wed, 12 Apr 2017 at 15:12 Jason Hellenthal <jhellenthal () dataix netwrote:Personally I would look into how detection for SIP works from NMAP and dump the traffic the network from a live scan and formulate something like the following with your specific to/from details. flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; Though it may be just easier to rate limit the connection attempts by max number of source connections and just blacklist them. Unless you are really interested in the details of versioning attempts.On Apr 12, 2017, at 08:20, Alexis <jakatsavras () gmail com> wrote: Is there a way for Snort to detect a SSH version scan made on port 22? scan can be done either using "nmap -p 22 -sV 192.168.1.1" OR on Kaliusingmsf auxiliary(ssh_version) I believe the below only works if the ssh scanner is scanssh.org alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established;content:"Version_Mapper";fast_pattern:only; metadata:ruleset community; classtype:network- scan; sid:1638; rev:9;) Thanks alexis----------------------------------------------------------------- -------------Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-use rs Please visit http://blog.snort.org to stay current on all the latestSnort news!------------------------------------------------------------------- ----------- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan Jason Hellenthal (Apr 12)
- Re: SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan James Lay (Apr 13)
- Re: SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan Jason Hellenthal (Apr 12)