[Snort-sigs] Help: ssh intrusion detection rule makes snort stop

nnposter at ...592... nnposter at ...592...
Thu Dec 2 18:23:02 EST 2004


> I am trying to use this rule:
> alert tcp any any -> $HOME_NET 22 (msg:"Potential SSH Brute Force Attack"; \
>         flow:to_server; \
>         flags:S; \
>         threshold:type threshold, track by_src, count 3, seconds 60; \
>         classtype:attempted-dos; \
>         sid:2001219; \
>         rev:4; \
>         resp:rst-all; \
> )

rst-all != rst_all

Cheers,
nnposter




More information about the Snort-sigs mailing list