NF – POLICY – SSH Client detected on non SSH standard port
this Snort rule is designed to detect TCP traffic on non-standard ports (ports other than 22) that contains the string "ssh-" in the payload, indicating the presence of an SSH client. If such traffic is detected, the rule triggers an alert. The rule is specifically crafted to identify SSH client activity on ports other than the standard SSH port.
ID Number
5024803
Signature
alert tcp any !22 -> any !22 (msg:"NF - POLICY - SSH Client detected on non SSH standars port"; flow:to_server,established; content:"ssh-"; nocase; depth:4; reference:url,networkforensic.dk; metadata:08092018; classtype:misc-activity; sid:5024803; rev:1;)
MITRE ATT&CK Technique
-
Severity
High
Recommendations/Investigative actions
Identify the source and destination and check why SSH traffic was initiated on non-standard port. If its part of system configuration - the alert can be closed. If it's not configured - need to search for additional suspicious indicators - can be an attempt to perform lateral movement.