[Snort-sigs] SSH brute force attack sig

bmc at ...95... bmc at ...95...
Thu Jul 7 08:22:35 EDT 2005


On Thu, Jul 07, 2005 at 04:50:47PM +1200, Russell Fulton wrote:
> not everyone runs sfportscan, or wants too.  Simple minded portscanners get
> far to many FPs to be useful in our environment.  Rules like this allow us
> to focus on one very specific problem.

A quick glance at sfportscan shows that it has IP Set ignoring.  A
trivial change could be added to limit sfportscan to looking at
traffic for specific ports that you care about.

Then, instead of abusing rules to do what sfportscan does in a slowish
fashion, you can use sfportscan.

Brian




More information about the Snort-sigs mailing list