[Snort-sigs] rule for openssh successful connection

Paulo Filipe Mira paulo.mira at ...650...
Fri Jun 28 07:55:02 EDT 2002


I've looked around and i haven't been able to find a rule for this:

i want snort to log any successful connection to the ssh daemons
running on my DMZ. i'm the only one who should be doing such
connections, and it would great if i didn't have to rely on
the server's syslog messages as the sole source for that info.

is this even possible, given ssh's encription?

i'd give it a try myself, but i haven't written any rules
yet, and i think i should start off with something that doesn't
involve encripted streams.

i think it should be something along the lines of:

alert tcp $EXTERNAL_NET any -> $DMZ 22 (msg:"SSHD Successful Connection";
content: ????? ; nocase; flags:A+;  classtype:tcp-connection; sid:????;
rev:1;)

has anyone ever done this?

TIA,

Paulo Filipe Mira
SA
Soquímica
paulo.mira at ...650...
Tel: +351 21 716 51 60
Fax: +351 21 716 51 69






More information about the Snort-sigs mailing list