Snort mailing list archives
Re: alert logging of non local lan SSH connections.
From: Brian <bmc () snort org>
Date: Tue, 18 Sep 2001 23:06:04 -0400
According to Travis Farmer:
How do i setup an alert to log remote SSH connections (just the headers and possibly the username used if possible).
username? you don't. That is after the encryption has taken over.
You can log a short bit of the connection before encryption takes hold
with this.
alert any any -> yourserver 22 (msg:"SSH to sensor"; flags:S; \
tag: session, 300, packets;)
--
Brian Caswell
Snort Rules Bastard
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- alert logging of non local lan SSH connections. Travis Farmer (Sep 18)
- Re: alert logging of non local lan SSH connections. Brian (Sep 18)
- Re: Re: alert logging of non local lan SSH connections. Marsiske Stefan (Sep 19)
- Re: alert logging of non local lan SSH connections. Brian (Sep 18)