[Snort-sigs] SSH brute force attack sig

Paul Schmehl pauls at ...1311...
Wed Jul 6 10:53:25 EDT 2005


Does anyone have one?

I put together a very simple one to catch *outgoing* evil, but I'm 
wondering if anyone has packet captures that would help with content 
definitions.

Here's the rule I wrote:

# New rule for catching ssh brute-force attacks
alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack"; threshold: 
type both, track by_src, count 2000, seconds 60; classtype:trojan-activity; 
sid:1000281; rev:2;)

It's catching some legitimate sessions, so I'l probably need to raise the 
threshold more, but I'm wondering if there's a packet capture that has 
something unique the rule could trigger on.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list