sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive

[Thibaut PIRONNEAU <thibaut.pironneau () clermont-universite fr>]

Hello,
First sorry for my poor english.
Then, I use snort 2.9.1 since a while and I have a question about rule 
number 19559 : BAD-TRAFFIC SSH brute force login attempt
I think this rule generate many false positive, and I can prove it :
I my company, we have a huge information system with many servers and 
ssh servers, which are open to wan (behind a firewall)... I have ssh 
brute force alert on this servers... But I filter ssh by IP on each 
machine. At home or by using other external ADSL connection, I'm not 
able to connect on my ssh server...

I think there are problems with the rules redaction :
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH brute 
force login attempt"; flow:to_server,established; content:"SSH-"; 
depth:4; detection_filter:track by_src, count 5, seconds 60; 
classtype:misc-activity; sid:19559; rev:1;)

I think, if I use ssh with scp with a huge file for example, this rules 
catch an alert... Is there not an indication of login in the IP packet 
during the connection phase?

Thanks for your patience and for your help.

Best Regards.
-- 
Thibaut PIRONNEAU

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!