[Snort-users] snort to trap SSH connection --HOWTO?

gerald. gerald.chan at ...3710...
Sat Oct 6 07:31:08 EDT 2001


the values are:

var HOME_NET [203.126.161.32/27,192.168.88.0/24]
var EXTERNAL_NET !$HOME_NET

thanks.
----- Original Message ----- 
From: "Chris Green" <cmg at ...671...>
To: "gerald." <gerald.chan at ...3710...>
Cc: <snort-users at lists.sourceforge.net>
Sent: Saturday, October 06, 2001 9:46 PM
Subject: Re: [Snort-users] snort to trap SSH connection --HOWTO?


> "gerald." <gerald.chan at ...3710...> writes:
> 
> > 1.  (*) text/plain          ( ) text/html           
> >
> > Hi,
> >  
> > I am running Linux Redhat 7.1, snort-1.8.1-RELEASE, openssh 2.9.2
> >  
> > I tried to trap any suspicious SSH connection from external network to
> > my network, but unable to start the process.
> 
> 
> What are the values of $HOME_NET and $EXTERNAL_NET? Show the lines
> where they are being defined if you would.
> 
> Rule parser isn't as robust as it should be sometimes.
> 
> > case 1
> > alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH login from
> > untrusted network"; flags: S; tag: session, 300, packets;)
> > result: core dump
> 
> looks good but you'd probably need to change S to S+ for it to work.
> Still need to know the varilabe values.
> 
> > case 2
> > alert $HOME_NET 22 -> any any (msg:"SSH login from untrusted network";
> > flags: S; tag: session, 300, packets;)
> > result: ERROR /etc/snort/rules/ssh.rules (5) => Bad protocol: any
> > Fatal Error, Quitting..
> 
> This one has no protocol
> 
> > case 3
> > alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SSH to sensor";)
> > result: core dump
> >  
> > Please Help and thanks in advance,
> >  
> > Gerald
> 
> -- 
> Chris Green <cmg at ...671...>
> A good pun is its own reword.
> 





More information about the Snort-users mailing list