[Snort-sigs] SSH Scans

Matthew Jonkman matt at ...2436...
Mon Aug 23 13:13:05 EDT 2004


Frank Knobbe wrote:
> On Mon, 2004-08-23 at 13:17, Matthew Jonkman wrote:
> 
>>5 ssh connects in 60 seconds from one source is generally unusual.
> 
> 
> If you are under the impression that one source IP represents one user,
> then yes. However, what about networks behind a single NAT IP, or
> proxies? (AOL for example)
> If you have 5+ different users/server behind a NAT gateway logging into
> the same box, you will falsely trigger that rule.
> 
> Be very careful when working with thresholds. Remember that a single IP
> can be multiple users.

Very true. Maybe 10/minute would be a better threshold?

Definitely something to adjust locally I think. We have a lot of people 
coming from single sites and IP's as well, but it'd be pretty rare that 
5 new connections to the same box opened up within a minute I'd think.

Matt





More information about the Snort-sigs mailing list