Snort mailing list archives
Re: snort to trap SSH connection --HOWTO?
From: "gerald." <gerald.chan () i-admin com>
Date: Sat, 6 Oct 2001 22:53:26 +0800
the values are: var HOME_NET [203.126.161.32/27,192.168.88.0/24] var EXTERNAL_NET !$HOME_NET thanks. ----- Original Message ----- From: "Chris Green" <cmg () uab edu> To: "gerald." <gerald.chan () i-admin com> Cc: <snort-users () lists sourceforge net> Sent: Saturday, October 06, 2001 9:46 PM Subject: Re: [Snort-users] snort to trap SSH connection --HOWTO?
"gerald." <gerald.chan () i-admin com> writes:1. (*) text/plain ( ) text/html Hi, I am running Linux Redhat 7.1, snort-1.8.1-RELEASE, openssh 2.9.2 I tried to trap any suspicious SSH connection from external network to my network, but unable to start the process.What are the values of $HOME_NET and $EXTERNAL_NET? Show the lines where they are being defined if you would. Rule parser isn't as robust as it should be sometimes.case 1 alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH login from untrusted network"; flags: S; tag: session, 300, packets;) result: core dumplooks good but you'd probably need to change S to S+ for it to work. Still need to know the varilabe values.case 2 alert $HOME_NET 22 -> any any (msg:"SSH login from untrusted network"; flags: S; tag: session, 300, packets;) result: ERROR /etc/snort/rules/ssh.rules (5) => Bad protocol: any Fatal Error, Quitting..This one has no protocolcase 3 alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH to sensor";) result: core dump Please Help and thanks in advance, Gerald-- Chris Green <cmg () uab edu> A good pun is its own reword.
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort to trap SSH connection --HOWTO? gerald. (Oct 05)
- Re: snort to trap SSH connection --HOWTO? Chris Green (Oct 06)
- Re: snort to trap SSH connection --HOWTO? gerald. (Oct 06)
- Re: snort to trap SSH connection --HOWTO? Chris Green (Oct 06)