Are activated but without any result.

Please see the log on the SSH session taken from SSM-20.

The SSH is v1.99 running on the server SIDE.

The SSM-20 can't see notihing ! Any ideas ??

Rgds,

CD

Interesting. In the very first data packet, I see:

000-1.99-0000000_3.9p1

000-2.0-0000000_3.9p1

I expect to see something like:

SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT

SSH-1.99-OpenSSH_3.9p1

In the above session, I was using SecureCRT and connecting to an OpenSSH server.

In your case, whatever client and server is being used appears to replace any references to SSH and the server type with zeroes...perhaps intentionally to bypass IDS/IPS? or actually, it might be a pretty clever hack to prevent others from connecting to your SSH server because I think a standard SSH client will fail to connect if versions don't match. I'll have to test that.

In any event, look at the first data packet after the handshake and modify/build a signature based on it. You might consider a meta signature to prevent false positives. bear in mind that someone capable of changing the source and recompiling both the server and the client can set this to whatever they want:

perhaps look for "diffie-hellman" in one signature and "ssh" in another?

I created a signature that fires on "diffie-hellman.*ssh". I've attached a snapshot. Not seeing any false positives yet. One thing to note; I created a new signature variable called "TUNNEL_PORTS" that contains all the ports our outbound PROXIES allow tunnels for. You should do the same. There is a significant problem with the original signature in that it only looks at the default #WEBPORTS variable. This variable is really designed for clear text HTTP so doesn't contain port 443, etc. It feels wrong using a ".*" in the regex without some sort of match limit, so you may want to tune once you verify that it works.

BTW, this is on a sensor appliance not an ASA....so YMMV in terms of how you create a matching sig.

Hi,

thank you for the support. I will create the signature and see the result.

By the way how you are defining the variable $TUNNEL_PORTS to match more then 1 port and not to create same signature for more then 1 port.

Rgds,

CD

I don't have an ASA but my understanding is that functionality is similar. Just use a comma or carriage return to separate the ports.

443,8443,9443,etc

or

443

8443

9443

etc

btw, I'm curious. Do you know anything about this SSH tunnel you're seeing? I'm just wanting to know if someone manually updated source and then recompiled to create this effect or if there is some os or version of ssh that already does this out of the box.

btw, In the first data packet (from the client) I just see:

SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT

The "SSH-1.99-OpenSSH_3.9p1" is in the reply from the server.

Hi,

yes now I can stop this SSH connection over 443 ;) thanks

Attached is an output of the event log of the the IPS.

Now coming back to the SSH - is a modify version on the server side (delete banners from the SSH daemon, key authentification plus some sort of compresion build on)

The SSH server and SSH client are running on Windows platform with CYGWIN.

Rgds,

CD