Snort mailing list archives
Rule for detecting ssh
From: basant subba <basantsubba () gmail com>
Date: Wed, 25 Jun 2014 17:15:28 +0530
I want to write a rule to detect a ssh login attempt from HOME_NET to server with IP 172.16.24.253. How do I go about it? This is as far as I could get but it looks far from complete signature to detect ssh login attempt. alert tcp $HOME_NET any -> 172.16.24.253 22 (msg:"ssh Login Attempt"; flow:established, to_server; content:"ssh "; sid:10000001; rev:1;) How do I write the pcre part for this signature? Can any1 help?
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule for detecting ssh basant subba (Apr 27)
- Re: Rule for detecting ssh Arvid Van Essche (Apr 28)
- <Possible follow-ups>
- Rule for detecting ssh basant subba (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)
- Re: Rule for detecting ssh basant subba (Jun 25)
- Re: Rule for detecting ssh Joel Esler (jesler) (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)