[Snort-sigs] SSH brute force attack sig

Paul Schmehl pauls at ...1311...
Wed Jul 6 11:51:07 EDT 2005

--On Wednesday, July 06, 2005 13:30:04 -0500 Matt Jonkman 
<matt at ...2436...> wrote:

> Flowbits is part of the standard snort for anything remotely recent.
> The basis is you can use a flowbit like a variable, so you can pass
> information from one stream or one sig to another.
> In this case you could write another sig that only applied when
> ssh.brute.attempt was set.
> It's not relevant at this point because the sigs we had that did check
> that variable we dropped. We thought a while ago we had a lead on the
> packet size that we'd see on a successful authentication. So we wanted
> to start looking for that packet if there was  a brute going on, that
> being a big problem if a brute got a successful auth.
Ahh...that makes sense.

What I wish snort had is something that could track multiple session 
initiation attempts to multiple hosts.  For example, if you could write a 
rule something like this, it would be very useful.

alert tcp any any -> any any (msg: "Multiple session inits";  flags: S; 
flowbits:init.host; init.host.connects: 200; rcv.hosts.connects: 200; sig: 
blah; rev: blah;)

I suppose a simple form of that could be:
alert tcp any any -> any any (msg: "Multiple session inits"; flags: S; 
threshold: type both, track by_src, count 200, seconds 60; sig: blah; rev: 
blah;)   (I might just play around with this.)

Now *that* would be a useful addition.  I have no idea if it could be done, 
though (codewise).  Obviously you'd have to use something to track the 
initiating host's connections, but if it could be done, it would be a 
killer keyword for catching bad stuff on your network (or coming in to your 

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member

More information about the Snort-sigs mailing list