[Snort-sigs] rule for openssh successful connection

Paulo Filipe Mira paulo.mira at ...650...
Fri Jun 28 10:05:07 EDT 2002


Sorry guys, by the replies i'm getting i think i wasn't
clear enough in my first post. Thanx to all that replied,
though.

By successful connection i meant a client successfully autheticating, 
i.e. getting a shell (could also be getting a port redirected, by i
don't actually use that in my setup).

After a successful login via ssh (brute-forcing a password,
or any other means) an attacker could escalate to root and
wipe the syslog. If he were to kit me, the only ways i would
have to know that something fishy was going on would be by
the tripwire check (that i do less often than i should) or
by the odd trafic that he would generate.

So basically i would want snort to be able to tell me something
along the lines of: ip x.x.x.x logged on to DMZ1 using ssh.


Paulo Mira


> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of 
> Ryan Russell
> Sent: sexta-feira, 28 de Junho de 2002 17:11
> To: Paulo Filipe Mira
> Cc: Snort-Sigs (E-mail)
> Subject: Re: [Snort-sigs] rule for openssh successful connection
> 
> 
> On Fri, 28 Jun 2002, Paulo Filipe Mira wrote:
> > i want snort to log any successful connection to the ssh daemons
> > running on my DMZ. i'm the only one who should be doing such
> > connections, and it would great if i didn't have to rely on
> > the server's syslog messages as the sole source for that info.
> 
> Define "successful connection". Do you mean simply completing the TCP
> handshake, or download of keys, or successful client 
> authentication, or
> what?
> 
> 					Ryan
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Caffeinated soap. No kidding.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list