Snort mailing list archives
Re: Rule for detecting ssh
From: Shirkdog <shirkdog () gmail com>
Date: Wed, 25 Jun 2014 09:58:51 -0400
And flip the logic of your signature. The SSH version will be returned by the server. On Jun 25, 2014 9:49 AM, "Joel Esler (jesler)" <jesler () cisco com> wrote:
Capture a pcap of an attempted connection to SSH on the server and then examine the pcap in something like wireshark to write the detection. On Jun 25, 2014, at 9:25 AM, basant subba <basantsubba () gmail com> wrote: Thanks Shirkdog but that doesn't seem to help much. On Wed, Jun 25, 2014 at 6:19 PM, Shirkdog <shirkdog () gmail com> wrote:Add nocase; after your content. On Jun 25, 2014 7:48 AM, "basant subba" <basantsubba () gmail com> wrote:I want to write a rule to detect a ssh login attempt from HOME_NET to server with IP 172.16.24.253. How do I go about it? This is as far as I could get but it looks far from complete signature to detect ssh login attempt. alert tcp $HOME_NET any -> 172.16.24.253 22 (msg:"ssh Login Attempt"; flow:established, to_server; content:"ssh "; sid:10000001; rev:1;) How do I write the pcre part for this signature? Can any1 help? ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Open source business process management suite built on Java and Eclipse Turn processes into business applications with Bonita BPM Community Edition Quickly connect people, data, and systems into organized workflows Winner of BOSSIE, CODIE, OW2 and Gartner awards http://p.sf.net/sfu/Bonitasoft
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule for detecting ssh basant subba (Apr 27)
- Re: Rule for detecting ssh Arvid Van Essche (Apr 28)
- <Possible follow-ups>
- Rule for detecting ssh basant subba (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)
- Re: Rule for detecting ssh basant subba (Jun 25)
- Re: Rule for detecting ssh Joel Esler (jesler) (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)