Revision as of 14:10, 27 October 2015

Description

This rule is triggered when a system connects to the sshd service but does not attempt to actually create an SSH connection. For example, if an attacker probes the port to see if SSH is running. SSH clients will not generate this alert. They create a full connection with the service, this alert will only occur if a probe against the port is initiated or if a client terminates the connection before finishing setting it up.

nmap, for example, uses this method with its version scan and will generate this alert.

Some primitive software packages will "probe" the ssh port before attempting to connect to it, instead of actually connecting. If you are using software of this type and you need to allow probes of your ssh port, you will need to disable active response for this rule.

Log example

sshd[21424]: Did not receive identification string from 1.2.3.4

Troubleshooting

False Positives

Some simple or old monitoring packages may use this method to see if the SSH service is up, which can generate a false positive. We do not recommend you disable this rule.

Tuning Guidance

Instead if your monitoring system is generating this alert, we recommend you whitelist the IP or change to a monitoring solution that actually establishes an SSH aware connection to the SSH service.

If you do not wish to shun on this rule, just change the Rules configuration for Active Response to "no". We do not recommend you disable active response on this rule, as this method is widely used to probe ssh servers.

Additional Information

Similar Rules

HIDS_5701

Knowledge Base Articles

None.

Outside References

None.