ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack

This alert is triggered when detecting frequent attempts to create an SSH Connection to an asset. SSH is a secure protocol to provide access to an asset in a network. This alert may be triggered when an adversary is attempting a brute-force Attack.

Categories:

ID Number

4000725

Signature

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN LibSSH Based Frequent SSH Connections Likely BruteForce Attack"; flow:established,to_server; content:"SSH-"; content:"libssh"; within:20; threshold: type both, count 5, seconds 30, track by_src; reference:url,doc.emergingthreats.net/2006546; classtype:attempted-admin; sid:4000725; rev:6; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

MITRE ATT&CK Technique

-

Severity

Low

Recommendations/Investigative actions

It is recommended to limit SSH connection attempts from external networks. If there is no use of SSH, it's recommended to disable the communication.