|Alert Message||Possible attack on the ssh server (or version gathering).|
This rule is triggered when a connection is made to the SSH service that does not actually try to create an SSH connection. This does not occur with actual SSH client connections. This occurs when a connection does not negotiate with the SSH daemon as an SSH aware client. For example, telneting to the SSH port will generate this alert.
This method is used by attackers to determine if SSH is running on the system, and what version of SSH the system is using.
 Log example
sshd: Bad protocol version identification '\377\364\377\375\006' from UNKNOWN
 False Positives
Some simple or old monitoring packages may use this method to see if the SSH service is up, which can generate a false positive.
 Tuning Guidance
We do not recommend you disable this rule. Instead if your monitoring system is generating this alert, we recommend you whitelist the IP or change to a monitoring solution that actually establishes an SSH aware connection to the SSH service.
If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to probe ssh servers.
 Additional Information
 Similar Rules
 Knowledge Base Articles
 Outside References