[Snort-sigs] SSH Scans

Matthew Jonkman matt at ...2436...
Mon Aug 23 11:18:00 EDT 2004


Seeing a ton of ssh brute force attempts against boxes all over the 
place. None successful since they're concentrating on root, but the rate 
is low enough that the portscan preprocessors aren't getting them (at 
the thresholds we usually use)

So I put this rule up on bleedingsnort.com:

alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH 
Brute Force Attack"; flow:to_server,established; threshold:type limit, 
track by_dst, count 5, seconds 60; classtype:attempted-dos; sid:2001219; 
rev:1;)

5 ssh connects in 60 seconds from one source is generally unusual.

Matt




More information about the Snort-sigs mailing list