[Snort-sigs] SSH brute force attack sig

Matt Jonkman matt at ...2436...
Wed Jul 6 11:33:20 EDT 2005

Flowbits is part of the standard snort for anything remotely recent.

The basis is you can use a flowbit like a variable, so you can pass
information from one stream or one sig to another.

In this case you could write another sig that only applied when
ssh.brute.attempt was set.

It's not relevant at this point because the sigs we had that did check
that variable we dropped. We thought a while ago we had a lead on the
packet size that we'd see on a successful authentication. So we wanted
to start looking for that packet if there was  a brute going on, that
being a big problem if a brute got a successful auth.

But the packet size proved not to be consistent.

But this sig is still very valuable on it's own. And accurate.


Paul Schmehl wrote:
> --On Wednesday, July 06, 2005 13:01:02 -0500 Matt Jonkman
> <matt at ...2436...> wrote:
>> SCAN/SCAN_SSH_Brute_Force:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
>> Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
>> threshold: type threshold, track by_src, count 5, seconds 120;
>> classtype: suspicious-login; sid: 2001219; rev:10; )
>> We've tweaked this one to be near perfect. We are setting the
>> ssh.brute.attempt, but the other sigs that used to use it were removed.
>> So we could take that out, but it'll surely be useful somewhere down the
>> line.
>> This is in the SCAN ruleset on bleeding.
>> Let us know how the threshold in this one affects your net, being larger
>> than average.
> I'll let you know, but I have one question.
> What is this: flowbits: set,ssh.brute.attempt;
>                                        ^^^^^^^^^^^^^^
> Is that a special, bleeding-snort conf value?  Or part of the std snort
> distro?
> Paul Schmehl (pauls at ...1311...)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list