[Snort-sigs] SSH Scans
matt at ...2436...
Mon Aug 23 11:18:00 EDT 2004
Seeing a ton of ssh brute force attempts against boxes all over the
place. None successful since they're concentrating on root, but the rate
is low enough that the portscan preprocessors aren't getting them (at
the thresholds we usually use)
So I put this rule up on bleedingsnort.com:
alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH
Brute Force Attack"; flow:to_server,established; threshold:type limit,
track by_dst, count 5, seconds 60; classtype:attempted-dos; sid:2001219;
5 ssh connects in 60 seconds from one source is generally unusual.
More information about the Snort-sigs