[Snort-sigs] Help: ssh intrusion detection rule makes snort stop
gmichalk at ...2916...
Thu Dec 2 08:34:01 EST 2004
Using : Snort 2.2 on slackware 9.1, logs are backed up in a mysql database.
I am trying to use this rule:
alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force Attack"; \
threshold:type threshold, track by_src, count 3, seconds 60; \
With this rule
When I start snort, it appears in "ps aux", and then quietly shuts down.
Without this rule, snort just runs fine.
I really need this kind of rule. I would be more than happy if someone could
possibly help me.
More information about the Snort-sigs