[Snort-sigs] SSH Scans
matt at ...2436...
Mon Aug 23 13:13:05 EDT 2004
Frank Knobbe wrote:
> On Mon, 2004-08-23 at 13:17, Matthew Jonkman wrote:
>>5 ssh connects in 60 seconds from one source is generally unusual.
> If you are under the impression that one source IP represents one user,
> then yes. However, what about networks behind a single NAT IP, or
> proxies? (AOL for example)
> If you have 5+ different users/server behind a NAT gateway logging into
> the same box, you will falsely trigger that rule.
> Be very careful when working with thresholds. Remember that a single IP
> can be multiple users.
Very true. Maybe 10/minute would be a better threshold?
Definitely something to adjust locally I think. We have a lot of people
coming from single sites and IP's as well, but it'd be pretty rare that
5 new connections to the same box opened up within a minute I'd think.
More information about the Snort-sigs