SSH Inspector Overview
Type |
Inspector (service) |
Usage |
Inspect |
Instance Type |
Multiton |
Other Inspectors Required |
None |
Enabled |
|
Secure Shell Protocol (SSH) is network protocol that enables secure communication between a client and server over an unsecured network. SSH supports tunneling and authenticates a remote host using public-key cryptography.
You can use SSH to securely transfer files, or login into a remote host and interact with the command line. The SSH protocol uses port 22 over TCP, UDP, or SCTP.
The ssh
inspector decodes stream packets and detects the following SSH exploits:
-
Challenge-Response Buffer Overflow exploit
-
CRC-32 exploit
-
SecureCRT SSH Client Buffer Overflow exploit
-
Incorrect SSH message direction
Challenge-Response Buffer Overflow and CRC-32 attacks occur after authentication when the network connection between hosts is encrypted. Both types of attack send a large payload of more than 20 KB to the server immediately after the authentication challenge.
The ssh
inspector detects the Challenge-Response Buffer Overflow and CRC-32 attacks by
counting the number of bytes transmitted to the server. If the bytes exceed the defined limit
within a predefined number of packets, the ssh
inspector generates an alert.
CRC-32 attacks apply only to SSH Version 1 and Challenge-Response Buffer Overflow exploits apply only to SSH Version 2.
The ssh
inspector reads the SSH version string at the beginning of the session to identify the type of attack.
The SecureCRT SSH Client Buffer Overflow and protocol mismatch attacks occur before the key exchange when hosts are attempting to secure a connection. The SecureCRT SSH Client Buffer Overflow attack sends an overly long protocol identifier string to the client, causing a buffer overflow. A protocol mismatch attack occurs when either a non-SSH client application attempts to connect to a secure SSH server, or the server and client version numbers do not match.
![]() Note |
The ssh inspector does not handle brute force attacks.
|