Snort mailing list archives

snort rules

From: Jean Michel Tangué via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 23 Jul 2018 19:29:38 +0000

alert tcp 192.168.1.30 any -> 192.168.1.50 22 (
msg:"SSH Brute Force Attempt";
flow:established,to_server;
content:"SSH"; nocase; offset:0; depth:4;
detection_filter:track by_src, count 3, seconds 60;
sid:10000001; rev:1;)


I wrote this rule so that when Yura more than three failed SSH connection
attempts that there is an alert but it is not working. Are this the rule
that is badly written ?? Or if not I ask the exact writing of the rule.
Thank you very much for helping me.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Snort rules Jean Michel Tangué via Snort-sigs (Jul 22)
- Re: Snort rules Y M via Snort-sigs (Jul 22)
- <Possible follow-ups>
- Snort rules Jean Michel Tangué via Snort-sigs (Jul 22)
  - Re: Snort rules Y M via Snort-sigs (Jul 22)
- Snort rules jeanmicheltangue via Snort-users (Jul 23)
  - Re: Snort rules Y M via Snort-users (Jul 24)
- Snort rules jeanmicheltangue via Snort-users (Jul 23)
  - Re: Snort rules Y M via Snort-users (Jul 24)
- snort rules Jean Michel Tangué via Snort-sigs (Jul 23)
  - Re: snort rules Joel Esler (jesler) via Snort-sigs (Jul 23)
    - Re: snort rules wkitty42--- via Snort-sigs (Jul 23)