[Snort-sigs] SSH brute force attack sig

Wes Young wcyoung at ...2584...
Wed Jul 6 11:29:27 EDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing I would watch for (this doesnt apply to everyone)
are if you host mirrors for various things onsite. I know I ran into a
few prob's with that sig when replication happens over ssh (update
packages on server via ssh) etc... If the replication app spins off more
than 5 threads..... it will fire... so make sure you build in the var's
and verify that its not causing you a FP before whitelisting them.

Just something to keep in mind....

Paul Schmehl wrote:
> --On Wednesday, July 06, 2005 13:01:02 -0500 Matt Jonkman
> <matt at ...2436...> wrote:
> 
>> SCAN/SCAN_SSH_Brute_Force:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
>> Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
>> threshold: type threshold, track by_src, count 5, seconds 120;
>> classtype: suspicious-login; sid: 2001219; rev:10; )
>>
>> We've tweaked this one to be near perfect. We are setting the
>> ssh.brute.attempt, but the other sigs that used to use it were removed.
>> So we could take that out, but it'll surely be useful somewhere down the
>> line.
>>
>> This is in the SCAN ruleset on bleeding.
>>
>> Let us know how the threshold in this one affects your net, being larger
>> than average.
>>
> I'll let you know, but I have one question.
> 
> What is this: flowbits: set,ssh.brute.attempt;
>                                        ^^^^^^^^^^^^^^
> 
> Is that a special, bleeding-snort conf value?  Or part of the std snort
> distro?
> 
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 

- --
Wes Young
Network Security Analyst
University at Buffalo
GPG Key: http://tinyurl.com/8lnt3
My Life: http://tinyurl.com/l18g
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCzCLU1M5o0FsrrbERAiXpAJ4+9WQbxRdXVHDngN4Fy9tnF0IFjACfZXFU
Fj1y8VVcNeBXQ3OLJYDh0Qc=
=mFa2
-----END PGP SIGNATURE-----




More information about the Snort-sigs mailing list