[Snort-sigs] SSH brute force attack sig

Russell Fulton r.fulton at ...575...
Wed Jul 6 21:51:34 EDT 2005


bmc at ...95... wrote:
> 
> 
> Heh.  Did you put "near perfect" in the message to get me to pipe up?
> 
> Whats wrong with using sfportscan to detect this scan?  This "near
> perfect" rule implements a crude network scan detection at a fairly
> hefty cost to performance.
>

not everyone runs sfportscan, or wants too.  Simple minded portscanners get far to many FPs to be useful in our environment.  Rules like this allow us to focus on one very specific problem.






More information about the Snort-sigs mailing list