[Snort-sigs] SSH brute force attack sig

Matt Jonkman matt at ...2436...
Thu Jul 7 08:28:42 EDT 2005

True, but we're still not able to use those events to respond or block.
Nor can we set different thresholds for different ports or port ranges.



bmc at ...95... wrote:
> On Thu, Jul 07, 2005 at 04:50:47PM +1200, Russell Fulton wrote:
>>not everyone runs sfportscan, or wants too.  Simple minded portscanners get
>>far to many FPs to be useful in our environment.  Rules like this allow us
>>to focus on one very specific problem.
> A quick glance at sfportscan shows that it has IP Set ignoring.  A
> trivial change could be added to limit sfportscan to looking at
> traffic for specific ports that you care about.
> Then, instead of abusing rules to do what sfportscan does in a slowish
> fashion, you can use sfportscan.
> Brian
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list