[Snort-sigs] SSH Scans

Frank Knobbe frank at ...1978...
Mon Aug 23 13:04:09 EDT 2004


On Mon, 2004-08-23 at 13:17, Matthew Jonkman wrote:
> 5 ssh connects in 60 seconds from one source is generally unusual.

If you are under the impression that one source IP represents one user,
then yes. However, what about networks behind a single NAT IP, or
proxies? (AOL for example)
If you have 5+ different users/server behind a NAT gateway logging into
the same box, you will falsely trigger that rule.

Be very careful when working with thresholds. Remember that a single IP
can be multiple users.

Cheers,
Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040823/9c935801/attachment.sig>


More information about the Snort-sigs mailing list