Snort mailing list archives
Re: Can someone show an example how to force snort block ssh bruteforce?
From: "Castle, Shane" <scastle () bouldercounty org>
Date: Mon, 23 Apr 2012 15:11:51 +0000
See the info about snortsam, too: http://www.snortsam.net/ Even though it was originally written for Check Point FW-1 (hence the "sam") it can tickle other firewalls as well. The beta Barnyard2 has snortsam written into it and it should soon find its way into the standard release. By the time Snort alerts on the SSH brute force it may be too late for any truly vulnerable systems. If at all possible you should harden potentially vulnerable systems using SSH: not use passwords at all, if possible (certs only); move to a nonstandard port; longer and more complex passphrases; and so on. A HIDS solution on the system running sshd may be able to respond much faster. -- Shane Castle Data Security Mgr, Boulder County IT CISSP GSEC GCIH -----Original Message----- From: waldo kitty [mailto:wkitty42 () windstream net] Sent: Monday, April 23, 2012 08:56 To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Can someone show an example how to force snort block ssh bruteforce? On 4/23/2012 08:32, kay wrote:
It would be nice if you told me the app name which reacts to snort alerts and blocks traffic.
currently the "app" i speak of is written in perl and known as GAR (Guardian Active Response)... i took over maintaining it when the previous maintainer disappeared several years ago... at this time, it is rather dedicated to one particular FOSS firewall product known as Smoothwall Express... the concept is very simple and numerous other packages out there perform much the same task... simply analyze the output from snort and issue a signal to the network security team or directly issue a firewall block rule to the firewall or, if in inline mode, drop the traffic by not passing it on... depending on the implementation and configuration, of course... automated responses can result in legitimate traffic being blocked if one has not tuned the snort rules and the security app to one's network traffic and needs... "tuning the rules" meaning to enable those that are needed for your network's traffic and security and disable those that are not desired... this also applies to your chosen monitoring software... for instance, you may have snort alert on certain traffic that arrives 5 times in 60 seconds and then you might have your monitoring software to raise a warning signal if it sees that alert 5 times... your monitoring software may or may not have the ability to react to this traffic... some do and some do not... some prefer to have humans looking at the reports as they happen and let them decide to block or not... as far as your subject line goes, one could start off with a simple snort rule looking for a SYN on port 22 and counting the number of times this happens from the same IP within a certain period of time (thresholding/detection_filter)...
And again, your messages are are not full enough. What did you mean when said about "snort in IPS mode handles these blocks on its own"? =)
"on its own" meaning that it issues the block with no outside assistance... in other words, running in inline mode and using DROP instead of ALERT... in inline mode, snort bonds two NICs together and sits between them passing and watching the traffic flowing thru them... so it is in the perfect place to drop certain traffic into the bitbucket...
At the moment my prior task is to research opensource IPS systems and choose the best, and your "on its own" words confused me.
my apologies... i wasn't aware of a possible language or syntactic problem... i see, now, from your quote header that you speak russian... i can provide translations to russian if that will help understanding my messages?
23 апреля 2012 г. 15:12 пользователь waldo kitty <wkitty42 () windstream net> написал:What do you mean? Snort is an IPS, OSSEC is an IDS.actually, snort is both IDS and IPS... but ONLY insofar as it looking at the traffic on the wire and compares it with its rules... i use snort as an IDS with another tool that monitors snort's alerts and set blocks based on those alerts... snort in IPS mode handles these blocks on its own... AFAIK, OSSEC is an IDS but it goes deeper than just using snort's alerts ;)
------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ For Developers, A Lot Can Happen In A Second. Boundary is the first to Know...and Tell You. Monitor Your Applications in Ultra-Fine Resolution. Try it FREE! http://p.sf.net/sfu/Boundary-d2dvs2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Can someone show an example how to force snort block ssh bruteforce? kay (Apr 20)
- Re: Can someone show an example how to force snort block ssh bruteforce? Joel Esler (Apr 20)
- Message not available
- Re: Can someone show an example how to force snort block ssh bruteforce? Joel Esler (Apr 20)
- Re: Can someone show an example how to force snort block ssh bruteforce? Ian Bowers (Apr 20)
- Re: Can someone show an example how to force snort block ssh bruteforce? kay (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? waldo kitty (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? kay (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? waldo kitty (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? Castle, Shane (Apr 23)
- Re: Can someone show an example how to force snort block ssh bruteforce? kay (Apr 23)