[Snort-sigs] SSH brute force attack sig

Paul Schmehl pauls at ...1311...
Wed Jul 6 11:17:31 EDT 2005

--On Wednesday, July 06, 2005 13:01:02 -0500 Matt Jonkman 
<matt at ...2436...> wrote:

> SCAN/SCAN_SSH_Brute_Force:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
> Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
> threshold: type threshold, track by_src, count 5, seconds 120;
> classtype: suspicious-login; sid: 2001219; rev:10; )
> We've tweaked this one to be near perfect. We are setting the
> ssh.brute.attempt, but the other sigs that used to use it were removed.
> So we could take that out, but it'll surely be useful somewhere down the
> line.
> This is in the SCAN ruleset on bleeding.
> Let us know how the threshold in this one affects your net, being larger
> than average.
I'll let you know, but I have one question.

What is this: flowbits: set,ssh.brute.attempt;

Is that a special, bleeding-snort conf value?  Or part of the std snort 

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list