Snort mailing list archives
snort not alerting on same ip ssh attack after restart
From: John Devine <john.devine () nuspire com>
Date: Fri, 8 Apr 2016 18:06:13 +0000
Hi all, I am testing alerts on snort 2.9.2.2 on a box running debian by using a mock ssh attack to trigger one of snort's default rules. The rule is generated after 5 ssh attempts are made within 60 seconds. I am using snort as-is; I have created no custom rules. I can reproduce this about once a day but after a reboot of the box or restart of snort it will not generate an alert after using the same mock ssh attack even when I 'attack' it from a different IP. My guess is that there is some default local event filter for a specific rule that prevents the alert from generating again within a certain timeframe. I tried creating a global event filter (event_filter gen_id 0, sig_id 0, type both, track by_src, count -1, seconds 1) in the hope of circumventing all time limits and thresholds that could be preventing snort from alerting. Is there a way to disable any default filters that are preventing snort from generating multiples of the same alerts? If that is even the problem. Essentially, I want snort to be able to generate the same alert every time it happens which is currently does not. Thanks.
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart wkitty42 (Apr 08)
- <Possible follow-ups>
- Re: snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart wkitty42 (Apr 08)