[Snort-sigs] SSH brute force attack sig

Matt Jonkman matt at ...2436...
Wed Jul 6 11:03:45 EDT 2005


SCAN/SCAN_SSH_Brute_Force:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
threshold: type threshold, track by_src, count 5, seconds 120;
classtype: suspicious-login; sid: 2001219; rev:10; )

We've tweaked this one to be near perfect. We are setting the
ssh.brute.attempt, but the other sigs that used to use it were removed.
So we could take that out, but it'll surely be useful somewhere down the
line.

This is in the SCAN ruleset on bleeding.

Let us know how the threshold in this one affects your net, being larger
than average.

Matt


Paul Schmehl wrote:
> Does anyone have one?
> 
> I put together a very simple one to catch *outgoing* evil, but I'm
> wondering if anyone has packet captures that would help with content
> definitions.
> 
> Here's the rule I wrote:
> 
> # New rule for catching ssh brute-force attacks
> alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack";
> threshold: type both, track by_src, count 2000, seconds 60;
> classtype:trojan-activity; sid:1000281; rev:2;)
> 
> It's catching some legitimate sessions, so I'l probably need to raise
> the threshold more, but I'm wondering if there's a packet capture that
> has something unique the rule could trigger on.
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list