[Snort-sigs] SSH Scans
frank at ...1978...
Mon Aug 23 13:04:09 EDT 2004
On Mon, 2004-08-23 at 13:17, Matthew Jonkman wrote:
> 5 ssh connects in 60 seconds from one source is generally unusual.
If you are under the impression that one source IP represents one user,
then yes. However, what about networks behind a single NAT IP, or
proxies? (AOL for example)
If you have 5+ different users/server behind a NAT gateway logging into
the same box, you will falsely trigger that rule.
Be very careful when working with thresholds. Remember that a single IP
can be multiple users.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: This is a digitally signed message part
More information about the Snort-sigs