Snort mailing list archives

Previous By Date Next
Previous By Thread Next

SSH Attack rule makes snort stop

From: Gerd-Christian Michalke <gmichalk () tiscali be>
Date: Thu, 2 Dec 2004 16:15:03 +0100
Hello,

Using : Snort 2.2 on slackware 9.1, logs are backed up in a mysql database.

I am trying to use this rule:
alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force Attack"; \
        flow:to_server; \
        flags:S; \
        threshold:type threshold, track by_src, count 3, seconds 60; \
        classtype:attempted-dos; \
        sid:2001219; \
        rev:4; \
        resp:rst-all; \
)

With this rule
When I start snort, it appears in "ps aux", and then quietly shuts down.

Without this rule, snort just runs fine.

I really need this kind of rule. I would be more than happy if someone could 
possibly help me.

Yours sincerely,
G. Michalke


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: