[Snort-users] snort to trap SSH connection --HOWTO?

Chris Green cmg at ...671...
Sat Oct 6 06:51:04 EDT 2001


"gerald." <gerald.chan at ...3710...> writes:

> 1.  (*) text/plain          ( ) text/html           
>
> Hi,
>  
> I am running Linux Redhat 7.1, snort-1.8.1-RELEASE, openssh 2.9.2
>  
> I tried to trap any suspicious SSH connection from external network to
> my network, but unable to start the process.


What are the values of $HOME_NET and $EXTERNAL_NET? Show the lines
where they are being defined if you would.

Rule parser isn't as robust as it should be sometimes.

> case 1
> alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH login from
> untrusted network"; flags: S; tag: session, 300, packets;)
> result: core dump

looks good but you'd probably need to change S to S+ for it to work.
Still need to know the varilabe values.

> case 2
> alert $HOME_NET 22 -> any any (msg:"SSH login from untrusted network";
> flags: S; tag: session, 300, packets;)
> result: ERROR /etc/snort/rules/ssh.rules (5) => Bad protocol: any
> Fatal Error, Quitting..

This one has no protocol

> case 3
> alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH to sensor";)
> result: core dump
>  
> Please Help and thanks in advance,
>  
> Gerald

-- 
Chris Green <cmg at ...671...>
A good pun is its own reword.




More information about the Snort-users mailing list