[Snort-sigs] SSH brute force attack sig

James Riden j.riden at ...1766...
Thu Jul 7 14:26:19 EDT 2005

Jeff Kell <jeff-kell at ...922...> writes:

> Matt Jonkman wrote:
> > True, but we're still not able to use those events to respond or block.
> > Nor can we set different thresholds for different ports or port ranges.
> And P2P searches drive sfportscan nuts, making it essentially useless here.

On the other hand, we *are* interested in P2P and sfportscan is very
useful. Admittedly, I do some post-processing on portscan.log, but
it's really only counting the number of times a source IP has appeared
- I get paged if the dest. port is consistently 22, 135, 445,
etc. sfportscan does have false positives, but after a couple of
hundred events, it's usually worth taking a look at - in this
environment anyway.

James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

More information about the Snort-sigs mailing list