NF – SCAN Potential SSH Scan
This alert is triggered when detecting an SSH scan of an asset. SSH is a secure protocol to provide access to an asset in a network. This alert may be triggered when an adversary is attempting to scan a network and creat an initial connection.
ID Number
5024708
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"NF - SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,networkforensic.dk; metadata:22122017; classtype:network-scan; sid:5024708; rev:1;)
MITRE ATT&CK Technique
-
Severity
Low
Recommendations/Investigative actions
It is recommended to limit SSH connection attempts from external networks. If there is no use of SSH, it's recommended to disable the communication.