[Snort-sigs] SSH brute force attack sig

bmc at ...95... bmc at ...95...
Wed Jul 6 12:28:42 EDT 2005

On Wed, Jul 06, 2005 at 02:02:19PM -0500, Paul Schmehl wrote:
> >># New rule for catching ssh brute-force attacks
> >>alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack";
> >>threshold: type both, track by_src, count 2000, seconds 60;
> >>classtype:trojan-activity; sid:1000281; rev:2;)
> It tells me when I have a host on my network that is performing
> brute force SSH attacks.

Technically, no it doesn't.  Your rule generates an alert when a
single host sends 2000 packets in 60 seconds via tcp port 22.

SSH brute force attacks require many new SSH sessions.  Why not look
for the startup of a large number of SSH sessions within a given
period of time?

Try this snippet:

    flow:from_server,established; content:"SSH-"; depth:4;
    threshold: type both, track by_src, count 2000, seconds 60;


More information about the Snort-sigs mailing list