[Snort-sigs] SSH brute force attack sig

Paul Schmehl pauls at ...1311...
Wed Jul 6 11:17:31 EDT 2005


--On Wednesday, July 06, 2005 13:01:02 -0500 Matt Jonkman 
<matt at ...2436...> wrote:

> SCAN/SCAN_SSH_Brute_Force:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
> Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
> threshold: type threshold, track by_src, count 5, seconds 120;
> classtype: suspicious-login; sid: 2001219; rev:10; )
>
> We've tweaked this one to be near perfect. We are setting the
> ssh.brute.attempt, but the other sigs that used to use it were removed.
> So we could take that out, but it'll surely be useful somewhere down the
> line.
>
> This is in the SCAN ruleset on bleeding.
>
> Let us know how the threshold in this one affects your net, being larger
> than average.
>
I'll let you know, but I have one question.

What is this: flowbits: set,ssh.brute.attempt;
                                        ^^^^^^^^^^^^^^

Is that a special, bleeding-snort conf value?  Or part of the std snort 
distro?

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list