Snort mailing list archives

snort iptables drop

From: Gokan Atmaca via Snort-users <snort-users () lists snort org>
Date: Sat, 24 Mar 2018 23:39:36 +0300

Hello

I want to block ip addresses that attack brute force with Snort. Can
you help with this ?
I tried the following. But the rule did not work.

-> my rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH
bruteforce login attempt"; flow:to_server,established; content:"SSH-";
depth:4; detection_filter:track by_src, count 5, seconds
60;classtype:misc-activity; sid:19559; rev:2;)

drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH
bruteforce login attempt"; flow:to_server,established; content:"SSH-";
depth:4; detection_filter:track by_src, count 5, seconds 60;
classtype:misc-activity; sid:19559; rev:2;)

-> iptables rule:
# iptables -A INPUT -p tcp --dport 22 -j NFQUEUE --queue-num 1

-> snort:

# snort -A console -q -c /etc/snort/snort.conf  --daq nfq --daq-var queue=1

Thank you.
_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

snort iptables drop Gokan Atmaca via Snort-users (Mar 24)