[Snort-sigs] snort rules

Jean Michel Tangué jeanmicheltangue at gmail.com
Mon Jul 23 15:29:38 EDT 2018


alert tcp 192.168.1.30 any -> 192.168.1.50 22 (
msg:"SSH Brute Force Attempt";
flow:established,to_server;
content:"SSH"; nocase; offset:0; depth:4;
detection_filter:track by_src, count 3, seconds 60;
sid:10000001; rev:1;)


I wrote this rule so that when Yura more than three failed SSH connection
attempts that there is an alert but it is not working. Are this the rule
that is badly written ?? Or if not I ask the exact writing of the rule.
Thank you very much for helping me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180723/07d3d942/attachment.html>


More information about the Snort-sigs mailing list