Snort mailing list archives
Re: Need help about an rules
From: Felix via Snort-users <snort-users () lists snort org>
Date: Tue, 24 Jul 2018 15:18:03 +0200
Hi Michel, as YM already pointed out: have a look at rule with sid 19559. It is almost identical with yours. One notable difference is that you are further narrowing the IP addresses: do you really expect an SSH brute force attack from the private IP 192.168.1.30? BTW: if you are concerned about ssh brute force attacks, have a look at fail2ban (www.fail2ban.org). It blocks IPs after a couple of failed ssh login tries out of the box. greets felix On 23/07/18 21:03, Jean Michel Tangué via Snort-users wrote:
alert tcp 192.168.1.30 any -> 192.168.1.50 22 ( msg:"SSH Brute Force Attempt"; flow:established,to_server; content:"SSH"; nocase; offset:0; depth:4; detection_filter:track by_src, count 3, seconds 60; sid:10000001; rev:1;) I wrote this rule so that when Yura more than three failed SSH connection attempts that there is an alert but it is not working. Are this the rule that is badly written ?? Or if not I ask the exact writing of the rule. Thank you very much for helping me. _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
-- Felix Erlacher ccs-labs.org/~erlacher Key-ID:4EAC0959
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Need help about an rules Jean Michel Tangué via Snort-users (Jul 24)
- Re: Need help about an rules Felix via Snort-users (Jul 25)