GEN:SID 1:1638
Message SCAN SSH Version map attempt
Summary This event is generated when a scan is detected.
Impact Information gathering.
Detailed Information This event indicates that an attempt has been made to scan a host.

This may be the prelude to an attack. Scanners are used to ascertain which ports a host may be listening on, whether or not the ports are filtered by a firewall and if the host is vulnerable to a particular exploit.
Affected Systems Any host.
Attack Scenarios An attacker can determine if a vulnerable version of ssh is being used
on a host, then proceed to exploit that vulnerablity.
Ease of Attack Simple.
Corrective Action Determine whether or not the scan was legitimate then look for other events concerning the attacking IP address.

Check the host for signs of compromise.
Additional References