#alert ssh $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; ssh.softwareversion:"libssh-"; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:10;)

Added 2014-09-23 17:58:31 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; classtype:misc-activity; sid:2006435; rev:6;)

Added 2011-10-12 19:20:43 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; sid:2006435; rev:6;)

Added 2011-09-14 22:34:16 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_SSH_Brute_Force; sid:2006435; rev:6;)

Added 2011-02-04 17:25:22 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_SSH_Brute_Force; sid:2006435; rev:6;)

Added 2009-02-12 18:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 30; reference:url,doc.emergingthreats.net/2006435; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_SSH_Brute_Force; sid:2006435; rev:6;)

Added 2009-02-12 18:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 30; sid:2006435; rev:5;)

Added 2008-03-26 19:08:25 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; threshold: type limit, track by_src, count 1, seconds 30; sid:2006435; rev:5;)

Added 2008-03-26 19:08:25 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; sid:2006435; rev:4;)

Added 2008-01-29 10:56:40 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; sid:2006435; rev:4;)

Added 2008-01-29 10:56:40 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE SCAN LibSSH? Based SSH Connection - Often used as a BruteForce? Tool"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; sid:2006435; rev:3;)

Added 2007-07-31 00:16:11 UTC

This is not necessarily a sure sign of a brute force attack. Libssh is a useful and often utilized library. However it is very often used in bruteforce tools. If you see frequent hits on this sig in a short period it is likely hostile.

-- MattJonkman - 31 Jul 2007


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE SCAN LibSSH? Based SSH Bruteforce Attempt"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; classtype:misc-activity; sid:2006435; rev:2;)

Added 2007-07-27 12:46:42 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE SCAN LibSSH? Based SSH Bruteforce Attempt"; flags:PA; flow:established; pcre:"/SSH-(1|2)\.0-\.*libssh\.*/"; classtype:misc-activity; sid:2006435; rev:1;)

Added 2007-07-27 03:46:09 UTC


Topic revision: r2 - 2007-07-31 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats