Snort mailing list archives
sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive
From: Thibaut PIRONNEAU <thibaut.pironneau () clermont-universite fr>
Date: Tue, 25 Oct 2011 17:10:21 +0200
Hello, First sorry for my poor english. Then, I use snort 2.9.1 since a while and I have a question about rule number 19559 : BAD-TRAFFIC SSH brute force login attempt I think this rule generate many false positive, and I can prove it : I my company, we have a huge information system with many servers and ssh servers, which are open to wan (behind a firewall)... I have ssh brute force alert on this servers... But I filter ssh by IP on each machine. At home or by using other external ADSL connection, I'm not able to connect on my ssh server... I think there are problems with the rules redaction : alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH brute force login attempt"; flow:to_server,established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; classtype:misc-activity; sid:19559; rev:1;) I think, if I use ssh with scp with a huge file for example, this rules catch an alert... Is there not an indication of login in the IP packet during the connection phase? Thanks for your patience and for your help. Best Regards. -- Thibaut PIRONNEAU ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive Thibaut PIRONNEAU (Oct 25)
- Re: sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive Alex Kirk (Oct 25)