Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Need help about an rules

From: Felix via Snort-users <snort-users () lists snort org>
Date: Tue, 24 Jul 2018 15:18:03 +0200
Hi Michel,

as YM already pointed out: have a look at rule with sid 19559. It is
almost identical with yours.
One notable difference is that you are further narrowing the IP
addresses: do you really expect an SSH brute force attack from the
private IP 192.168.1.30?

BTW: if you are concerned about ssh brute force attacks, have a look at
fail2ban (www.fail2ban.org). It blocks IPs after a couple of failed ssh
login tries out of the box.

greets

felix

On 23/07/18 21:03, Jean Michel Tangué via Snort-users wrote:

alert tcp 192.168.1.30 any -> 192.168.1.50 22 ( 
msg:"SSH Brute Force Attempt";
flow:established,to_server; 
content:"SSH"; nocase; offset:0; depth:4; 
detection_filter:track by_src, count 3, seconds 60; 
sid:10000001; rev:1;)


I wrote this rule so that when Yura more than three failed SSH
connection attempts that there is an alert but it is not working. Are
this the rule that is badly written ?? Or if not I ask the exact writing
of the rule. Thank you very much for helping me.



_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

      To unsubscribe, send an email to:
      snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette



-- 
Felix Erlacher

ccs-labs.org/~erlacher
Key-ID:4EAC0959

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: