Re: snort to trap SSH connection --HOWTO?

[Chris Green <cmg () uab edu>]

"gerald." <gerald.chan () i-admin com> writes:

> 1.  (*) text/plain          ( ) text/html           
>
> Hi,
>  
> I am running Linux Redhat 7.1, snort-1.8.1-RELEASE, openssh 2.9.2
>  
> I tried to trap any suspicious SSH connection from external network to
> my network, but unable to start the process.


What are the values of $HOME_NET and $EXTERNAL_NET? Show the lines
where they are being defined if you would.

Rule parser isn't as robust as it should be sometimes.

> case 1
> alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH login from
> untrusted network"; flags: S; tag: session, 300, packets;)
> result: core dump

looks good but you'd probably need to change S to S+ for it to work.
Still need to know the varilabe values.

> case 2
> alert $HOME_NET 22 -> any any (msg:"SSH login from untrusted network";
> flags: S; tag: session, 300, packets;)
> result: ERROR /etc/snort/rules/ssh.rules (5) => Bad protocol: any
> Fatal Error, Quitting..

This one has no protocol

> case 3
> alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH to sensor";)
> result: core dump
>  
> Please Help and thanks in advance,
>  
> Gerald

-- 
Chris Green <cmg () uab edu>
A good pun is its own reword.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users