Difference between revisions of "HIDS 5706"

From Atomicorp Wiki
Jump to: navigation, search
m (Description)
m (False Positives)
 
(One intermediate revision by one user not shown)
Line 12: Line 12:
  
 
nmap, for example, uses this method with its version scan and will generate this alert.
 
nmap, for example, uses this method with its version scan and will generate this alert.
 +
 +
Some primitive software packages will "probe" the ssh port before attempting to connect to it, instead of actually connecting.  If you are using software of this type and you need to allow probes of your ssh port, you will need to disable active response for this rule.
  
 
== Log example ==
 
== Log example ==
Line 21: Line 23:
 
== False Positives ==
 
== False Positives ==
  
Some simple or old monitoring packages may use this method to see if the SSH service is up, which can generate a false positive.  We do not recommend you disable this rule.
+
Some simple or old monitoring packages may use this method to see if the SSH service is listening, which can generate this alert.  We do not recommend you disable this rule.
  
 
== Tuning Guidance ==
 
== Tuning Guidance ==

Latest revision as of 13:11, 27 October 2015

Rule 5706
Status Active
Alert Message SSH insecure connection attempt (scan).

Contents

[edit] Description

This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection. For example, if an attacker probes the port to see if SSH is running. SSH clients will not generate this alert. They create a full connection with the service, this alert will only occur if a probe against the port is initiated or if a client terminates the connection before finishing setting it up.

nmap, for example, uses this method with its version scan and will generate this alert.

Some primitive software packages will "probe" the ssh port before attempting to connect to it, instead of actually connecting. If you are using software of this type and you need to allow probes of your ssh port, you will need to disable active response for this rule.

[edit] Log example

sshd[21424]: Did not receive identification string from 1.2.3.4

[edit] Troubleshooting

[edit] False Positives

Some simple or old monitoring packages may use this method to see if the SSH service is listening, which can generate this alert. We do not recommend you disable this rule.

[edit] Tuning Guidance

Instead if your monitoring system is generating this alert, we recommend you whitelist the IP or change to a monitoring solution that actually establishes an SSH aware connection to the SSH service.

If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to probe ssh servers.

[edit] Additional Information

[edit] Similar Rules

HIDS_5701

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

Personal tools