[Snort-users] snort to trap SSH connection --HOWTO?

gerald. gerald.chan at ...3710...
Fri Oct 5 22:51:03 EDT 2001


Hi,

I am running Linux Redhat 7.1, snort-1.8.1-RELEASE, openssh 2.9.2

I tried to trap any suspicious SSH connection from external network to my network, but unable to start the process.

case 1
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH login from untrusted network"; flags: S; tag: session, 300, packets;)
result: core dump

case 2
alert $HOME_NET 22 -> any any (msg:"SSH login from untrusted network"; flags: S; tag: session, 300, packets;)
result: ERROR /etc/snort/rules/ssh.rules (5) => Bad protocol: any
Fatal Error, Quitting..

case 3
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH to sensor";)
result: core dump

Please Help and thanks in advance,

Gerald
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20011005/68f73c07/attachment.html>


More information about the Snort-users mailing list