Snort mailing list archives
Re: Can someone show an example how to force snort block ssh bruteforce?
From: Ian Bowers <iggdawg () gmail com>
Date: Fri, 20 Apr 2012 13:02:50 -0400
If running inline isn't an option, you can couple snort with software like OSSEC (free and awesome if you've never used it) and use it's active response routines to send shuns to firewalls or that sort of thing. On Fri, Apr 20, 2012 at 4:11 AM, kay <kay.diam () gmail com> wrote:
Hi everyone
The only I have reached is alerting about SSH bruteforce:
04/20-11:57:27.155161 [**] [1:19559:2] BAD-TRAFFIC SSH brute force login
attempt [**] [Classification: Misc activity] [Priority: 3] {TCP}
172.16.1.1:50585 -> 172.16.1.2:22
Here are the rules I used:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH brute
force login attempt"; flow:to_server,established; content:"SSH-"; depth:4;
detection_filter:track by_src, count 5, seconds 60;
classtype:misc-activity; sid:19559; rev:2;)
drop tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH brute
force login attempt"; flow:to_server,established; content:"SSH-"; depth:4;
detection_filter:track by_src, count 5, seconds 60;
classtype:misc-activity; sid:19559; rev:2;)
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Please visit http://blog.snort.org to stay current on all the latest
Snort news!
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can someone show an example how to force snort block ssh bruteforce? kay (Apr 20)
- Re: Can someone show an example how to force snort block ssh bruteforce? Joel Esler (Apr 20)
- Message not available
- Re: Can someone show an example how to force snort block ssh bruteforce? Joel Esler (Apr 20)
- Re: Can someone show an example how to force snort block ssh bruteforce? Ian Bowers (Apr 20)
- Re: Can someone show an example how to force snort block ssh bruteforce? kay (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? waldo kitty (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? kay (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? waldo kitty (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? Castle, Shane (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? kay (Apr 23)