[Snort-sigs] SSH Scans

Matthew Jonkman matt at ...2436...
Mon Aug 23 12:49:18 EDT 2004


>>5 ssh connects in 60 seconds from one source is generally unusual.
> 
> 
> Except that isn't what your rule states.  You are using by_dst, not
> by_src.
> 
> Your current rule states:
>     if you see 5 connections to one destination within a 60 second
>     window, alert.

Thanks for catching that. Fixed.

Matt




More information about the Snort-sigs mailing list