Difference between revisions of "HIDS 5706"

From Atomicorp Wiki
Jump to: navigation, search
(Created page with "{{Infobox |header1= Rule 5706 |label2 = Status |data2 = Active |label3 = Alert Message |data3 = SSH insecure connection attempt (scan). }} = Description = This rule is trig...")
 
m (Description)
Line 9: Line 9:
 
= Description =
 
= Description =
  
This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection.  For example, if an attacker probes the port to see if SSH is running.  SSH clients will not generate this alert.  They actually create a connection with the service, this alert will only occur if a probe against the port is initiated.
+
This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection.  For example, if an attacker probes the port to see if SSH is running.  SSH clients will not generate this alert.  They actually create a full connection with the service, this alert will only occur if a probe against the port is initiated or if a client terminates the connection before finishing setting it up.
  
 
nmap, for example, uses this method with its version scan and will generate this alert.
 
nmap, for example, uses this method with its version scan and will generate this alert.

Revision as of 18:11, 2 November 2014

Rule 5706
Status Active
Alert Message SSH insecure connection attempt (scan).

Contents

Description

This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection. For example, if an attacker probes the port to see if SSH is running. SSH clients will not generate this alert. They actually create a full connection with the service, this alert will only occur if a probe against the port is initiated or if a client terminates the connection before finishing setting it up.

nmap, for example, uses this method with its version scan and will generate this alert.

Log example

sshd[21424]: Did not receive identification string from 1.2.3.4

Troubleshooting

False Positives

Some simple or old monitoring packages may use this method to see if the SSH service is up, which can generate a false positive. We do not recommend you disable this rule.

Tuning Guidance

Instead if your monitoring system is generating this alert, we recommend you whitelist the IP or change to a monitoring solution that actually establishes an SSH aware connection to the SSH service.

If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to probe ssh servers.

Additional Information

Similar Rules

HIDS_5701

Knowledge Base Articles

None.

Outside References

None.

Personal tools