Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH Version Scan

From: Jason Hellenthal <jhellenthal () dataix net>
Date: Wed, 12 Apr 2017 09:11:46 -0500
Personally I would look into how detection for SIP works from NMAP and dump the traffic the network from a live scan 
and formulate something like the following with your specific to/from details.

flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon;


Though it may be just easier to rate limit the connection attempts by max number of source connections and just 
blacklist them. Unless you are really interested in the details of versioning attempts.





On Apr 12, 2017, at 08:20, Alexis <jakatsavras () gmail com> wrote:

Is there a way for Snort to detect a SSH version scan made on port 22?

scan can be done either using "nmap -p 22 -sV 192.168.1.1" OR on Kali using
msf auxiliary(ssh_version)

I believe the below only works if the ssh scanner is scanssh.org

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH
Version map attempt"; flow:to_server,established; content:"Version_Mapper";
fast_pattern:only; metadata:ruleset community; classtype:network-scan;
sid:1638; rev:9;)

Thanks
alexis
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: