[Snort-sigs] rule for openssh successful connection
Paulo Filipe Mira
paulo.mira at ...650...
Fri Jun 28 10:05:07 EDT 2002
Sorry guys, by the replies i'm getting i think i wasn't
clear enough in my first post. Thanx to all that replied,
By successful connection i meant a client successfully autheticating,
i.e. getting a shell (could also be getting a port redirected, by i
don't actually use that in my setup).
After a successful login via ssh (brute-forcing a password,
or any other means) an attacker could escalate to root and
wipe the syslog. If he were to kit me, the only ways i would
have to know that something fishy was going on would be by
the tripwire check (that i do less often than i should) or
by the odd trafic that he would generate.
So basically i would want snort to be able to tell me something
along the lines of: ip x.x.x.x logged on to DMZ1 using ssh.
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of
> Ryan Russell
> Sent: sexta-feira, 28 de Junho de 2002 17:11
> To: Paulo Filipe Mira
> Cc: Snort-Sigs (E-mail)
> Subject: Re: [Snort-sigs] rule for openssh successful connection
> On Fri, 28 Jun 2002, Paulo Filipe Mira wrote:
> > i want snort to log any successful connection to the ssh daemons
> > running on my DMZ. i'm the only one who should be doing such
> > connections, and it would great if i didn't have to rely on
> > the server's syslog messages as the sole source for that info.
> Define "successful connection". Do you mean simply completing the TCP
> handshake, or download of keys, or successful client
> authentication, or
> This sf.net email is sponsored by:ThinkGeek
> Caffeinated soap. No kidding.
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs