Snort mailing list archives

Re: SSH Version Scan

From: James Lay <jlay () slave-tothe-box net>
Date: Thu, 13 Apr 2017 06:08:13 -0600

alert tcp any any -> any 22 (msg:"INDICATOR-SCAN Nmap SSH Version map
attempt"; flow:established; content:"nmap"; fast_pattern:only;
classtype:network-scan; sid:9999998; rev:1;)
04/12-14:06:37.663608  [**] [1:9999998:1] INDICATOR-SCAN Nmap SSH
Version map attempt [**] [Classification: Detection of a Network Scan]
[Priority: 3] {TCP} 192.168.1.253:51568 -> 192.168.1.7:22

04/12-14:06:37.663608 00:22:41:33:12:B2 -> 00:1F:F3:46:62:CA type:0x800
len:0x5D192.168.1.253:51568 -> 192.168.1.7:22 TCP TTL:64 TOS:0x0
ID:51982 IpLen:20 DgmLen:79 DF***AP*** Seq: 0xFE2C4827  Ack:
0x3F577223  Win: 0xE5  TcpLen: 32TCP Options (3) => NOP NOP TS:
126386992 255977148 53 53 48 2D 31 2E 35 2D 4E 6D 61 70 2D 53 53
48  SSH-1.5-Nmap-SSH31 2D 48 6F 73 74 6B 65 79 0D 0A                 1-
Hostkey..

Won't help with clowns using telnet and reseting the connection though.
James
On Wed, 2017-04-12 at 15:43 +0000, Alexis wrote:

Thanks for the input Jason. I will have a look at the SIP rules.

As far as I can tell is that a SSH version scan with nmap gets the
SSH
banner and then drops the TCP connection. No username or password are
given
So I think I am am looking for a rule that sees the SSH banner (which
i can
do) and that the TCP session is only say 3-4 packet (which I am not
sure
how to do)

Thanks
Alexis



On Wed, 12 Apr 2017 at 15:12 Jason Hellenthal <jhellenthal () dataix net

wrote:


Personally I would look into how detection for SIP works from NMAP
and
dump the traffic the network from a live scan and formulate
something like
the following with your specific to/from details.

flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/";
depth:19;
classtype:attempted-recon;


Though it may be just easier to rate limit the connection attempts
by max
number of source connections and just blacklist them. Unless you
are really
interested in the details of versioning attempts.


On Apr 12, 2017, at 08:20, Alexis <jakatsavras () gmail com> wrote:

Is there a way for Snort to detect a SSH version scan made on
port 22?

scan can be done either using "nmap -p 22 -sV 192.168.1.1" OR on
Kali

using


msf auxiliary(ssh_version)

I believe the below only works if the ssh scanner is scanssh.org

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN
SSH
Version map attempt"; flow:to_server,established;

content:"Version_Mapper";


fast_pattern:only; metadata:ruleset community; classtype:network-
scan;
sid:1638; rev:9;)

Thanks
alexis

-----------------------------------------------------------------
-------------


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-use
rs

Please visit http://blog.snort.org to stay current on all the
latest

Snort news!

-------------------------------------------------------------------
-----------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan Jason Hellenthal (Apr 12)
  - Re: SSH Version Scan Alexis (Apr 12)
    - Re: SSH Version Scan James Lay (Apr 13)