[Snort-sigs] SSH brute force attack sig

Paul Schmehl pauls at ...1311...
Wed Jul 6 10:53:25 EDT 2005

Does anyone have one?

I put together a very simple one to catch *outgoing* evil, but I'm 
wondering if anyone has packet captures that would help with content 

Here's the rule I wrote:

# New rule for catching ssh brute-force attacks
alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack"; threshold: 
type both, track by_src, count 2000, seconds 60; classtype:trojan-activity; 
sid:1000281; rev:2;)

It's catching some legitimate sessions, so I'l probably need to raise the 
threshold more, but I'm wondering if there's a packet capture that has 
something unique the rule could trigger on.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list