[Snort-sigs] Help: ssh intrusion detection rule makes snort stop

sekure sekure at ...2420...
Thu Dec 2 13:05:08 EST 2004


Any error messages in syslog?


On Thu, 2 Dec 2004 09:08:19 +0100, Gerd-Christian Michalke
<gmichalk at ...2916...> wrote:
> Hello,
> 
> Using : Snort 2.2 on slackware 9.1, logs are backed up in a mysql database.
> 
> I am trying to use this rule:
> alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force Attack"; \
>         flow:to_server; \
>         flags:S; \
>         threshold:type threshold, track by_src, count 3, seconds 60; \
>         classtype:attempted-dos; \
>         sid:2001219; \
>         rev:4; \
>         resp:rst-all; \
> )
> 
> With this rule
> When I start snort, it appears in "ps aux", and then quietly shuts down.
> 
> Without this rule, snort just runs fine.
> 
> I really need this kind of rule. I would be more than happy if someone could
> possibly help me.
> 
> Yours sincerely,
> G. Michalke
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list