![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: Monitor Authentication
From: Chris Sandford <chris.sandford () sms-alderley com>
Date: Wed, 25 Jan 2017 08:58:05 +0000
Hi, Thank you for this. Is it possible to direct the rule to look at specific device for attempted SSH logins? From: Marcin Dulak [mailto:marcin.dulak () gmail com] Sent: 24 January 2017 18:11 To: Chris Sandford Subject: Re: [Snort-users] Monitor Authentication Hi, On Tue, Jan 24, 2017 at 3:48 PM, Chris Sandford <chris.sandford () sms-alderley com<mailto:chris.sandford () sms-alderley com>> wrote: Hi, Looking to run Snort to monitor authentication attempts on external facing devices. Does anyone have an example of a rule looking at a single IP of a device for monitoring login attempts. The rule would alert for failed and successful logins if detected. this particular rule https://www.snort.org/rule_docs/1-19559 will fire if more than 5 login attempts are made in 60 seconds, discussed also here: http://seclists.org/snort/2014/q2/482 Marcin In my example the login method would be to monitor SSH login attempts on an external facing device, although this is blocked by default it would be good to monitor for attempted logon requests. Thanks, SMS Head Office : Starling House, Lancelot Road, Beacon Park, Gorleston-on-Sea, Great Yarmouth, Norfolk, NR31 7BF Tel: +44 (0)1493 655515<tel:+44%201493%20655515> Fax : +44 (0)1493 655516<tel:+44%201493%20655516> Website: www.sms-alderley.com<http://www.sms-alderley.com> Email: enquiries () smsgrp com<mailto:enquiries () smsgrp com> Parent Company Head Office: Alderley plc, Arnolds Field Estate, The Downs, Wickwar, Gloucestershire, GL12 8JD Tel: +44(0)1454 294556<tel:+44%201454%20294556> Fax: +44 (0)1454 299272<tel:+44%201454%20299272> Website : www.alderley.com<http://www.alderley.com> Sales : sales () alderley com<mailto:sales () alderley com> This email and its contents are confidential and are solely for the use of the intended recipient. If you are not the original recipient you have received it in error and any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. Should you receive this email in error please immediately notify helpdesk () alderley com<mailto:helpdesk () alderley com>. This email has been scanned for viruses, trojans and malware however it is your responsibility to ensure your systems are protected that this email is properly scanned before opening. SMS is a member of the Alderley Group. P It takes 24 trees to produce 1 tonne of office paper! Thinkā¦ is it really necessary to print this email? ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Monitor Authentication Chris Sandford (Jan 24)
- Message not available
- Re: Monitor Authentication Chris Sandford (Jan 25)
- Message not available
- <Possible follow-ups>
- Re: Monitor Authentication Al Lewis (allewi) (Jan 24)