[Snort-sigs] SSH brute force attack sig
pauls at ...1311...
Wed Jul 6 10:53:25 EDT 2005
Does anyone have one?
I put together a very simple one to catch *outgoing* evil, but I'm
wondering if anyone has packet captures that would help with content
Here's the rule I wrote:
# New rule for catching ssh brute-force attacks
alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack"; threshold:
type both, track by_src, count 2000, seconds 60; classtype:trojan-activity;
It's catching some legitimate sessions, so I'l probably need to raise the
threshold more, but I'm wondering if there's a packet capture that has
something unique the rule could trigger on.
Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
More information about the Snort-sigs