Snort mailing list archives

Re: Building Alert rule

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Thu, 7 May 2015 10:44:09 +0000

Hello,

                There is an example of this provided in the manual (see below). You should be able to alter it to fit 
your situation. http://manual.snort.org/node34.html#SECTION004710000000000000000

Example - this rule will fire on every failed login attempt from 10.1.2.100 during one sampling period of 60 seconds, 
after the first 30 failed login attempts:

    drop tcp 10.1.2.100 any > 10.1.1.100 22 ( \
        msg:"SSH Brute Force Attempt";
        flow:established,to_server; \
        content:"SSH"; nocase; offset:0; depth:4; \
        detection_filter:track by_src, count 30, seconds 60; \
        sid:1000001; rev:1;)


Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: May Smith [mailto:may24x () yahoo com]
Sent: Thursday, May 07, 2015 4:28 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Building Alert rule

Hi all,

I'm running CentOS with Snort 2.9.7.2

The box is online just for a couple of days and I can already see that I'm under attack
Somebody is hammering against port 22 trying to get access.

However, since I'm connecting from various places, my IP keeps changing every time.
So adding an IP to an ignore test won't help me.

So what I need is to create a rule that sends out an alert if some IP fails to login more than three times
but won't alert if login is successful.

Is that possible ? And if so, how ?

regards
may

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Building Alert rule May Smith (May 07)
- Re: Building Alert rule Al Lewis (allewi) (May 07)
- Re: Building Alert rule Joel Esler (jesler) (May 07)