took me most of the morning, but I've been working on some improvements for detecting ...

Why Nostr? What is Njump?

npub1v4…s4pz0

2025-04-23 15:26:30

took me most of the morning, but I've been working on some improvements for detecting ErlangOTP/SSH exploitation attempts.

Runzero identified a range of vulnerable ssh banners (www.runzero.com/blog/erlang-otp-ssh/), so a I used that to create a rule that sets a flowbit. Flowbits are a way of telling Snort or Suricata to "watch this stream of network traffic that meets this criteria."

If the SSH server banner is vulnerable, AND we see Null Init cookies, OR an unencrypted channel open, or an unencrypted channel request message, only then will the alerts trigger.

of course, this means stuff like cisco products that are vulnerable, Because they use ErlangOTP under the hood, who also had to make their own unique SSH server banners for reasons beyond my comprehension (like, say, making it that much fucking harder to get a software bill of materials for all the shit running under their hood) won't trigger with these rules.

Author Public Key

npub1v47ka0em2j7zsts0dsu0m0kys95fdt9hzv6akmx4tlzsdgfestjqjs4pz0

Seen on

wss://relay.mostr.pub

Show more details

Published at

2025-04-23 15:26:30

Kind type

1 Short Text Note

Event JSON

{ "id": "30c75f4e350fa068a5fdc449c1ee5e5fab9eeeaecfbe54858ce145889e6f5250", "pubkey": "657d6ebf3b54bc282e0f6c38fdbec4816896acb71335db6cd55fc506a13982e4", "created_at": 1745421990, "kind": 1, "tags": [ [ "imeta", "url https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/387/960/755/801/591/original/c3fce389a11d6483.png", "m image/png", "dim 1688x284", "blurhash U197eJ_2NG-;_3RQR*M{VtofxaWBROkCjEkC" ], [ "proxy", "https://infosec.exchange/users/da_667/statuses/114387975554399832", "activitypub" ], [ "client", "Mostr", "31990:6be38f8c63df7dbf84db7ec4a6e6fbbd8d19dca3b980efad18585c46f04b26f9:mostr", "wss://relay.mostr.pub" ] ], "content": "took me most of the morning, but I've been working on some improvements for detecting ErlangOTP/SSH exploitation attempts.\n\nRunzero identified a range of vulnerable ssh banners (www.runzero.com/blog/erlang-otp-ssh/), so a I used that to create a rule that sets a flowbit. Flowbits are a way of telling Snort or Suricata to \"watch this stream of network traffic that meets this criteria.\"\n\nIf the SSH server banner is vulnerable, AND we see Null Init cookies, OR an unencrypted channel open, or an unencrypted channel request message, only then will the alerts trigger.\n\nof course, this means stuff like cisco products that are vulnerable, Because they use ErlangOTP under the hood, who also had to make their own unique SSH server banners for reasons beyond my comprehension (like, say, making it that much fucking harder to get a software bill of materials for all the shit running under their hood) won't trigger with these rules.\n\nhttps://media.infosec.exchange/infosec.exchange/media_attachments/files/114/387/960/755/801/591/original/c3fce389a11d6483.png", "sig": "ba06b3a6f6c95918b30fd4ad6366939411c9778037c91a93d83e8b2a8c0f32c62dcec141f6e56bb5c3a4197b41c69a3669ec0c80716fd2d10b1225053e96e47a" }