Snort mailing list archives

Re: SSH Attack rule makes snort stop

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 02 Dec 2004 11:02:55 -0500

At 10:15 AM 12/2/2004, Gerd-Christian Michalke wrote:

Using : Snort 2.2 on slackware 9.1, logs are backed up in a mysql database.

I am trying to use this rule:
alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force Attack"; \
        flow:to_server; \
        flags:S; \
        threshold:type threshold, track by_src, count 3, seconds 60; \
        classtype:attempted-dos; \
        sid:2001219; \
        rev:4; \
        resp:rst-all; \
)

With this rule
When I start snort, it appears in "ps aux", and then quietly shuts down.

Start snort in interactive mode (ie: without the -D parameter). Snort willgenerally tell you why it can't parse the rule.

In particular, do you have a flexresp enabled build of snort? if not you'llget an "Unknown keyword ' resp' in rule!" error on this one...

(90% likely to be your problem)



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.

Discover which products truly live up to the hype. Start reading now.http://productguide.itmanagersjournal.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

SSH Attack rule makes snort stop Gerd-Christian Michalke (Dec 02)
- Re: SSH Attack rule makes snort stop Matt Kettler (Dec 02)