Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:1638 |
| Message | SCAN SSH Version map attempt |
| Summary | This event is generated when a scan is detected. |
| Impact | Information gathering. |
| Detailed Information | This event indicates that an attempt has been made to scan a host. This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit. |
| Affected Systems | Any host. |
| Attack Scenarios | An attacker can determine if a vulnerable version of ssh is being used on a host, then proceed to exploit that vulnerablity. |
| Ease of Attack | Simple. |
| Corrective Action | Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address. Check the host for signs of compromise. |
| Additional References |
--
DID:316223
--
http://www.aanval.com/