Stop SSH over HTTPS ?

Unanswered Question
Dec 13th, 2007

Hi guys,

I have Cisco ASA-SSM-20 deployed INLINE.

I can cut any traffic without any problems except SSHv2 over HTTP or HTTPS.

Implementation ? -

Easy, you can make an HTTPS tunnel, then SSH over HTTPS and after that LOCAL PORT FORWARDING so you can get in the company from home ;)

How I can deny souch connection ?? Any signature ? Any ideas or Cisco can't help in this case.

Best regards,


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Thu, 12/13/2007 - 07:07

I assume you have the AIP-SSM-20?

Take a look at signature 11233-0 and -1 and -2, which are for SSH Over Non-standard Ports. These seem to do a good job detecting SSH tunnels and I haven't seen a false positive yet.

It's worth nothing too, that there a many, many more tools that can tunnel through a forwarding proxy without using SSH. SSH is just a little more ubiquitous.

coredumpbp Thu, 12/13/2007 - 07:32

Are activated but without any result.

Please see the log on the SSH session taken from SSM-20.

The SSH is v1.99 running on the server SIDE.

The SSM-20 can't see notihing ! Any ideas ??



mhellman Thu, 12/13/2007 - 08:29

Interesting. In the very first data packet, I see:



I expect to see something like:

SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT


In the above session, I was using SecureCRT and connecting to an OpenSSH server.

In your case, whatever client and server is being used appears to replace any references to SSH and the server type with zeroes...perhaps intentionally to bypass IDS/IPS? or actually, it might be a pretty clever hack to prevent others from connecting to your SSH server because I think a standard SSH client will fail to connect if versions don't match. I'll have to test that.

In any event, look at the first data packet after the handshake and modify/build a signature based on it. You might consider a meta signature to prevent false positives. bear in mind that someone capable of changing the source and recompiling both the server and the client can set this to whatever they want:

perhaps look for "diffie-hellman" in one signature and "ssh" in another?

mhellman Thu, 12/13/2007 - 09:32

I created a signature that fires on "diffie-hellman.*ssh". I've attached a snapshot. Not seeing any false positives yet. One thing to note; I created a new signature variable called "TUNNEL_PORTS" that contains all the ports our outbound PROXIES allow tunnels for. You should do the same. There is a significant problem with the original signature in that it only looks at the default #WEBPORTS variable. This variable is really designed for clear text HTTP so doesn't contain port 443, etc. It feels wrong using a ".*" in the regex without some sort of match limit, so you may want to tune once you verify that it works.

BTW, this is on a sensor appliance not an YMMV in terms of how you create a matching sig.

coredumpbp Thu, 12/13/2007 - 09:47


thank you for the support. I will create the signature and see the result.

By the way how you are defining the variable $TUNNEL_PORTS to match more then 1 port and not to create same signature for more then 1 port.



mhellman Thu, 12/13/2007 - 09:49

I don't have an ASA but my understanding is that functionality is similar. Just use a comma or carriage return to separate the ports.







mhellman Thu, 12/13/2007 - 09:51

btw, I'm curious. Do you know anything about this SSH tunnel you're seeing? I'm just wanting to know if someone manually updated source and then recompiled to create this effect or if there is some os or version of ssh that already does this out of the box.

mhellman Thu, 12/13/2007 - 09:53

btw, In the first data packet (from the client) I just see:

SSH-2.0-SecureCRT_5.1.3 (build 281) SecureCRT

The "SSH-1.99-OpenSSH_3.9p1" is in the reply from the server.

coredumpbp Fri, 12/14/2007 - 00:52


yes now I can stop this SSH connection over 443 ;) thanks

Attached is an output of the event log of the the IPS.

Now coming back to the SSH - is a modify version on the server side (delete banners from the SSH daemon, key authentification plus some sort of compresion build on)

The SSH server and SSH client are running on Windows platform with CYGWIN.




This Discussion