Alert not detected once

[João Mota <joao () 3gnt net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello snorters,

A strange thing happened in my snort box. I'm only using snort to
block ssh brute force attacks. I'm using it with snortsam and, because
I couldn't patch the current snort version, I'm using the one already
patched avaible at the snortsam web site (v 2.4.3 Build 26).
Everything was working great (26 sucessfull blocks) until yesterday
when a brute force attack was missed (doesn't show in the snort logs).
The system logs showed over 70 login failures in less than 10 minutes
and I have a threshold of 5 SYN packets to the port 22 per minute. The
rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
Potential SSH Scan"; flags: S; threshold: type threshold, track
by_src, count 5, seconds 60; sid: 2001219; rev:12; fwsam:
src[either],5min; )

Another attack after that one was still detected. Does anyone have a
clue why did this happened? Was there a bugfix related to this in more
recente snort releases?

Thanks

- --
João Mota <joao () 3gnt net>
3GNTW - Tecnologias de Informação, Lda

sip: joao () 3gnt net
jid: joao () jabber 3gnt org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEY3beGDPTPBuCkZgRAhbcAJ9RxFAKsRh1OmnN1w9ovjHa0QweHQCfSjmf
CvwHekRBoMIPlkwQ0zFb2PU=
=Kzxs
-----END PGP SIGNATURE-----



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users