[Snort-sigs] SSH Scans

Brian bmc at ...95...
Mon Aug 23 12:17:01 EDT 2004


On Mon, Aug 23, 2004 at 01:17:00PM -0500, Matthew Jonkman wrote:
> Seeing a ton of ssh brute force attempts against boxes all over the
> place. None successful since they're concentrating on root, but the
> rate is low enough that the portscan preprocessors aren't getting
> them (at the thresholds we usually use)
> 
> So I put this rule up on bleedingsnort.com:
> 
> alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH
> Brute Force Attack"; flow:to_server,established; threshold:type
> limit, track by_dst, count 5, seconds 60; classtype:attempted-dos;
> sid:2001219; rev:1;)
> 
> 5 ssh connects in 60 seconds from one source is generally unusual.

Except that isn't what your rule states.  You are using by_dst, not
by_src.

Your current rule states:
    if you see 5 connections to one destination within a 60 second
    window, alert.

uh... better hope you are not running a moderately used SSH server and
using bleeding edge rules.

-b




More information about the Snort-sigs mailing list