[Snort-sigs] Snort rules

ARUN LAL arunlal7701 at ...2420...
Fri Mar 18 03:22:05 EDT 2016

Hi All,

Can anyone explain this rule.

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH
Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 30;
reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,
doc.emergingthreats.net/2001219; classtype:attempted-recon; react:block;
sid:20000201; rev:19;)

react:block will help us for blocking the IP?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160318/ef73c242/attachment.html>

More information about the Snort-sigs mailing list