[Snort-sigs] SSH Scans

Ben Whaley snort-sigs at ...2528...
Mon Aug 23 13:30:17 EDT 2004


FYI, here is the exploit this is probably causing these attacks:

http://www.k-otik.com/exploits/08202004.brutessh2.c.php

- Ben

Matthew Jonkman wrote:

> Frank Knobbe wrote:
> 
>> On Mon, 2004-08-23 at 13:17, Matthew Jonkman wrote:
>>
>>> 5 ssh connects in 60 seconds from one source is generally unusual.
>>
>>
>>
>> If you are under the impression that one source IP represents one user,
>> then yes. However, what about networks behind a single NAT IP, or
>> proxies? (AOL for example)
>> If you have 5+ different users/server behind a NAT gateway logging into
>> the same box, you will falsely trigger that rule.
>>
>> Be very careful when working with thresholds. Remember that a single IP
>> can be multiple users.
> 
> 
> Very true. Maybe 10/minute would be a better threshold?
> 
> Definitely something to adjust locally I think. We have a lot of people 
> coming from single sites and IP's as well, but it'd be pretty rare that 
> 5 new connections to the same box opened up within a minute I'd think.
> 
> Matt
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 

-- 
Benjamin A. Whaley			Phone: 303.245.4521
Applied Trust Engineering		Fax: 303.245.4510
ben at ...2528...				www.atrust.com





More information about the Snort-sigs mailing list