[Snort-sigs] SSH brute force attack sig

Wes Young wcyoung at ...2584...
Wed Jul 6 11:29:27 EDT 2005

Hash: SHA1

One thing I would watch for (this doesnt apply to everyone)
are if you host mirrors for various things onsite. I know I ran into a
few prob's with that sig when replication happens over ssh (update
packages on server via ssh) etc... If the replication app spins off more
than 5 threads..... it will fire... so make sure you build in the var's
and verify that its not causing you a FP before whitelisting them.

Just something to keep in mind....

Paul Schmehl wrote:
> --On Wednesday, July 06, 2005 13:01:02 -0500 Matt Jonkman
> <matt at ...2436...> wrote:
>> SCAN/SCAN_SSH_Brute_Force:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
>> Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
>> threshold: type threshold, track by_src, count 5, seconds 120;
>> classtype: suspicious-login; sid: 2001219; rev:10; )
>> We've tweaked this one to be near perfect. We are setting the
>> ssh.brute.attempt, but the other sigs that used to use it were removed.
>> So we could take that out, but it'll surely be useful somewhere down the
>> line.
>> This is in the SCAN ruleset on bleeding.
>> Let us know how the threshold in this one affects your net, being larger
>> than average.
> I'll let you know, but I have one question.
> What is this: flowbits: set,ssh.brute.attempt;
>                                        ^^^^^^^^^^^^^^
> Is that a special, bleeding-snort conf value?  Or part of the std snort
> distro?
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://tinyurl.com/8lnt3
My Life: http://tinyurl.com/l18g
Version: GnuPG v1.4.1 (GNU/Linux)


More information about the Snort-sigs mailing list