Snort mailing list archives
Re: Rule for detecting ssh
From: Arvid Van Essche <arvid () vanessche be>
Date: Mon, 28 Apr 2014 11:20:55 +0200
Hi, If you search the available snort signatures, you will find several SSH related ones. Sig ID: 19559 is by default disabled and is used for SSH BruteForce detection. I would suggest you get some inspiration from this one. I would recommend to look into some rate limiting if you create a signature to match on every SSH packet/SSH-SYN packet. # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH brute force login attempt"; flow:to_server,established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; metadata:service ssh; classtype:misc-activity; sid:19559; rev:5;) Best regards, Arvid Van Essche Op 28-apr.-2014 07:48 schreef "basant subba" <basantsubba () gmail com>:
I want to write a rule to detect ssh connection request. How do I go about it? ------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE Instantly run your Selenium tests across 300+ browser/OS combos. Get unparalleled scalability from the best Selenium testing platform available. Simple to use. Nothing to install. Get started now for free." http://p.sf.net/sfu/SauceLabs
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Rule for detecting ssh basant subba (Apr 27)
- Re: Rule for detecting ssh Arvid Van Essche (Apr 28)
- <Possible follow-ups>
- Rule for detecting ssh basant subba (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)
- Re: Rule for detecting ssh basant subba (Jun 25)
- Re: Rule for detecting ssh Joel Esler (jesler) (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)
- Re: Rule for detecting ssh Shirkdog (Jun 25)