Snort mailing list archives
snort iptables drop
From: Gokan Atmaca via Snort-users <snort-users () lists snort org>
Date: Sat, 24 Mar 2018 23:39:36 +0300
Hello I want to block ip addresses that attack brute force with Snort. Can you help with this ? I tried the following. But the rule did not work. -> my rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH bruteforce login attempt"; flow:to_server,established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60;classtype:misc-activity; sid:19559; rev:2;) drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH bruteforce login attempt"; flow:to_server,established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; classtype:misc-activity; sid:19559; rev:2;) -> iptables rule: # iptables -A INPUT -p tcp --dport 22 -j NFQUEUE --queue-num 1 -> snort: # snort -A console -q -c /etc/snort/snort.conf --daq nfq --daq-var queue=1 Thank you. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- snort iptables drop Gokan Atmaca via Snort-users (Mar 24)