[Snort-sigs] SSH brute force attack sig

bmc at ...95... bmc at ...95...
Wed Jul 6 12:28:08 EDT 2005

On Wed, Jul 06, 2005 at 01:01:02PM -0500, Matt Jonkman wrote:
> SCAN/SCAN_SSH_Brute_Force:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
> Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
> threshold: type threshold, track by_src, count 5, seconds 120;
> classtype: suspicious-login; sid: 2001219; rev:10; )
> We've tweaked this one to be near perfect.

Heh.  Did you put "near perfect" in the message to get me to pipe up?

Whats wrong with using sfportscan to detect this scan?  This "near
perfect" rule implements a crude network scan detection at a fairly
hefty cost to performance.


More information about the Snort-sigs mailing list