Does LANGuardian detect ssh being ran over different port than 22?

  • 1
  • Question
  • Updated 6 years ago
  • Answered
We are looking to see if SSH is being ran over different port than 22, do you have a signature do detect this?
Photo of IT-help

IT-help

  • 52 Posts
  • 2 Reply Likes

Posted 6 years ago

  • 1
Photo of Andy

Andy

  • 44 Posts
  • 2 Reply Likes
the following two signatures will
detect ssh not running on port 22, note the two signatures need to be
added in order for alerts to be generated.

alert tcp any !22 -> any any (msg:"ET POLICY SSH Server Banner
Detected on Unusual Port"; flowbits:noalert; flow:
from_server,established; content:"SSH-"; offset: 0; depth: 4;
byte_test:1,>,48,0,relative; byte_test:1, any !22 (msg:"ET POLICY SSH Client Banner
Detected on Unusual Port"; flowbits:isset,is_ssh_server_banner; flow:
from_client,established; content:"SSH-"; offset: 0; depth: 4;
byte_test:1,>,48,0,relative; byte_test:1,<,51,0,relative;
byte_test:1,=,46,1,relative; flowbits: set,is_ssh_client_banner;
reference:url,doc.emergingthreats.net/2001980;
classtype:misc-activity; sid:2001980; rev:9;)

Refer to the forum entry on the steps to add a new rule.