Snort mailing list archives
Need help about an rules
From: Jean Michel Tangué via Snort-users <snort-users () lists snort org>
Date: Mon, 23 Jul 2018 19:03:00 +0000
alert tcp 192.168.1.30 any -> 192.168.1.50 22 ( msg:"SSH Brute Force Attempt"; flow:established,to_server; content:"SSH"; nocase; offset:0; depth:4; detection_filter:track by_src, count 3, seconds 60; sid:10000001; rev:1;) I wrote this rule so that when Yura more than three failed SSH connection attempts that there is an alert but it is not working. Are this the rule that is badly written ?? Or if not I ask the exact writing of the rule. Thank you very much for helping me.
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Need help about an rules Jean Michel Tangué via Snort-users (Jul 24)
- Re: Need help about an rules Felix via Snort-users (Jul 25)