[Snort-sigs] SSH brute force attack sig

bmc at ...95... bmc at ...95...
Thu Jul 7 08:40:51 EDT 2005


On Wed, Jul 06, 2005 at 06:19:42PM -0500, Frank Knobbe wrote:
> On Wed, 2005-07-06 at 15:27 -0400, bmc at ...95... wrote:
> > On Wed, Jul 06, 2005 at 02:02:19PM -0500, Paul Schmehl wrote:
> > > >># New rule for catching ssh brute-force attacks
> > > >>alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack";
> > > >>threshold: type both, track by_src, count 2000, seconds 60;
> > > >>classtype:trojan-activity; sid:1000281; rev:2;)
> 
> Hehe... looks like the "flags:S;" somehow got dropped from your quote
> there Brian :)

In Paul Schmehl's original email (which I quoted) "flags:S;" was not in
the rule. "flags:S;" is in the 'near perfect' rule.  :)

Brian




More information about the Snort-sigs mailing list