Snort mailing list archives
Re: SSH Version Scan
From: Jason Hellenthal <jhellenthal () dataix net>
Date: Wed, 12 Apr 2017 09:11:46 -0500
Personally I would look into how detection for SIP works from NMAP and dump the traffic the network from a live scan and formulate something like the following with your specific to/from details. flow:established,to_server; content:"OPTIONS sip|3A|nm SIP/"; depth:19; classtype:attempted-recon; Though it may be just easier to rate limit the connection attempts by max number of source connections and just blacklist them. Unless you are really interested in the details of versioning attempts.
On Apr 12, 2017, at 08:20, Alexis <jakatsavras () gmail com> wrote: Is there a way for Snort to detect a SSH version scan made on port 22? scan can be done either using "nmap -p 22 -sV 192.168.1.1" OR on Kali using msf auxiliary(ssh_version) I believe the below only works if the ssh scanner is scanssh.org alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community; classtype:network-scan; sid:1638; rev:9;) Thanks alexis ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan Jason Hellenthal (Apr 12)
- Re: SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan James Lay (Apr 13)
- Re: SSH Version Scan Alexis (Apr 12)
- Re: SSH Version Scan Jason Hellenthal (Apr 12)