Re: Monitor Authentication

[Chris Sandford <chris.sandford () sms-alderley com>]

Hi,

Thank you for this. Is it possible to direct the rule to look at specific device for attempted SSH logins?


From: Marcin Dulak [mailto:marcin.dulak () gmail com]
Sent: 24 January 2017 18:11
To: Chris Sandford
Subject: Re: [Snort-users] Monitor Authentication

Hi,

On Tue, Jan 24, 2017 at 3:48 PM, Chris Sandford <chris.sandford () sms-alderley com<mailto:chris.sandford () 
sms-alderley com>> wrote:
Hi,

Looking to run Snort to monitor authentication attempts on external facing devices.

Does anyone have an example of a rule looking at a single IP of a device for monitoring login attempts. The rule would 
alert for failed and successful logins if detected.

this particular rule https://www.snort.org/rule_docs/1-19559 will fire if more than 5 login attempts are made in 60 
seconds, discussed also here:
http://seclists.org/snort/2014/q2/482
Marcin


In my example the login method would be to monitor SSH login attempts on an external facing device, although this is 
blocked by default it would be good to monitor for attempted logon requests.

Thanks,


SMS Head Office : Starling House, Lancelot Road, Beacon Park, Gorleston-on-Sea, Great Yarmouth, Norfolk, NR31 7BF
Tel: +44 (0)1493  655515<tel:+44%201493%20655515> Fax : +44 (0)1493 655516<tel:+44%201493%20655516> Website: 
www.sms-alderley.com<http://www.sms-alderley.com>  Email: enquiries () smsgrp com<mailto:enquiries () smsgrp com>

Parent Company Head Office: Alderley plc, Arnolds Field Estate, The Downs, Wickwar, Gloucestershire, GL12 8JD
Tel: +44(0)1454 294556<tel:+44%201454%20294556> Fax: +44 (0)1454 299272<tel:+44%201454%20299272> Website : 
www.alderley.com<http://www.alderley.com> Sales : sales () alderley com<mailto:sales () alderley com>

This email and its contents are confidential and are solely for the use of the intended recipient. If you are not the 
original recipient you have received it in error and any use, dissemination, forwarding, printing or copying of this 
email is strictly prohibited. Should you receive this email in error please immediately notify helpdesk () alderley 
com<mailto:helpdesk () alderley com>. This email has been scanned for viruses, trojans and malware however it is your 
responsibility to ensure your systems are protected that this email is properly scanned before opening.

SMS is a member of the Alderley Group.
P It takes 24 trees to produce 1 tonne of office paper! Think… is it really necessary to print this email?

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!