[Snort-sigs] Snort rules

Elliot Anderson new.http.451 at ...2420...
Fri Mar 18 05:03:22 EDT 2016


Hey,

it is a rule to trigger (or block if you have inline sensors) connection attempts (flags:S - SYN/ brute force attempts) towards your SSH services (HOME_NET 22). It will alert of 5 failed attempts in 30 seconds (count 5, seconds 30) from one IP (track by_src).

E.

> On 18 Mar 2016, at 09:22, ARUN LAL <arunlal7701 at ...2420...> wrote:
> 
> Hi All,
> 
> Can anyone explain this rule.
> 
> -------------------------------
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 30; reference:url,en.wikipedia.org/wiki/Brute_force_attack <http://en.wikipedia.org/wiki/Brute_force_attack>; reference:url,doc.emergingthreats.net/2001219 <http://doc.emergingthreats.net/2001219>; classtype:attempted-recon; react:block; sid:20000201; rev:19;)
> --------------------------------
> 
> react:block will help us for blocking the IP?
> 
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140_______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160318/d28b01e2/attachment.html>


More information about the Snort-sigs mailing list