[Snort-users] alert logging of non local lan SSH connections.

Brian bmc at ...950...
Tue Sep 18 20:06:02 EDT 2001

According to Travis Farmer:
> How do i setup an alert to log remote SSH connections (just the headers and 
> possibly the username used if possible).

username?  you don't.  That is after the encryption has taken over.

You can log a short bit of the connection before encryption takes hold
with this.

alert any any -> yourserver 22 (msg:"SSH to sensor"; flags:S; \
	tag: session, 300, packets;)

Brian Caswell
Snort Rules Bastard

More information about the Snort-users mailing list