Re: snort not alerting on same ip ssh attack after restart

[wkitty42 () windstream net]

On 04/08/2016 03:42 PM, John Devine wrote:
> what is the IP of your snort box?
> 10.31.40.20
> what are your HOME_NET and EXTERNAL_NET values?
> var HOME_NET
> [10.31.2.78,10.31.2.79,172.17.0.0/24,192.168.11.0/24,192.168.50.15,127.0.0.1]
> var EXTERNAL_NET !$HOME_NET

ok, it appears that you are attacking from outside your defined HOME_NET so the 
rule should trigger...

> My hunch is that there is a specification in some specific rule which is overriding
> any global filter I have in place causing the alerts to stop firing after one
> attack.
> Unfortunately, modifying that specific rule is not an option for me as I update
> the rules
> automatically and don't customize any of them so that would not be a long term fix.

if you are using pulledpork or the older oinkmaster they have a config section 
to be able to modify specific rules... generally the option is disablesid and 
your list an SID to be commented out...

> I foudn the rule in question in emerging-scan.rules:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan";
> flags:S,12; threshold: type both, track by_src, count 5, seconds 120;
> reference:url,en.wikipedia.org/wiki/Brute_force_attack;
> reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon;
> sid:2001219; rev:19;)

yes, that's in the rule itself... the rule is looking only for SYN packets 
(flags:S:12) starting the three-way handshake... the timing is inside the rule...

   threshold: type both, track by_src, count 5, seconds 120;

the best thing to do is to do like i wrote before unless you want to try playing 
with the updater's modifysid option...

1. copy the rule to your local.rules file...

2. change the SID number in it to something over 10000000... all your local 
rules should be in this range and it should not be used in any other rules sets 
you use...

3. disable the original rule in the original file (emerging-scan.rules)...

4. edit this copy to remove the above threshold section or modify it how you 
want it...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/
gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!