![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: snort to trap SSH connection --HOWTO?
From: Chris Green <cmg () uab edu>
Date: Sat, 06 Oct 2001 08:46:27 -0500
"gerald." <gerald.chan () i-admin com> writes:
1. (*) text/plain ( ) text/html Hi, I am running Linux Redhat 7.1, snort-1.8.1-RELEASE, openssh 2.9.2 I tried to trap any suspicious SSH connection from external network to my network, but unable to start the process.
What are the values of $HOME_NET and $EXTERNAL_NET? Show the lines where they are being defined if you would. Rule parser isn't as robust as it should be sometimes.
case 1 alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH login from untrusted network"; flags: S; tag: session, 300, packets;) result: core dump
looks good but you'd probably need to change S to S+ for it to work. Still need to know the varilabe values.
case 2 alert $HOME_NET 22 -> any any (msg:"SSH login from untrusted network"; flags: S; tag: session, 300, packets;) result: ERROR /etc/snort/rules/ssh.rules (5) => Bad protocol: any Fatal Error, Quitting..
This one has no protocol
case 3 alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH to sensor";) result: core dump Please Help and thanks in advance, Gerald
-- Chris Green <cmg () uab edu> A good pun is its own reword. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort to trap SSH connection --HOWTO? gerald. (Oct 05)
- Re: snort to trap SSH connection --HOWTO? Chris Green (Oct 06)
- Re: snort to trap SSH connection --HOWTO? gerald. (Oct 06)
- Re: snort to trap SSH connection --HOWTO? Chris Green (Oct 06)