[Snort-sigs] snort rules

Joel Esler (jesler) jesler at cisco.com
Mon Jul 23 16:00:15 EDT 2018


I believe the "SSH" banner would be going the other way.. (192.168.1.50 22 -> 192.168.1.30 any)

On Jul 23, 2018, at 3:29 PM, Jean Michel Tangué via Snort-sigs <snort-sigs at lists.snort.org<mailto:snort-sigs at lists.snort.org>> wrote:

alert tcp 192.168.1.30 any -> 192.168.1.50 22 (
msg:"SSH Brute Force Attempt";
flow:established,to_server;
content:"SSH"; nocase; offset:0; depth:4;
detection_filter:track by_src, count 3, seconds 60;
sid:10000001; rev:1;)


I wrote this rule so that when Yura more than three failed SSH connection attempts that there is an alert but it is not working. Are this the rule that is badly written ?? Or if not I ask the exact writing of the rule. Thank you very much for helping me.

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org<mailto:Snort-sigs at lists.snort.org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180723/cf3caf10/attachment.html>


More information about the Snort-sigs mailing list