[Snort-users] alert logging of non local lan SSH connections.
bmc at ...950...
Tue Sep 18 20:06:02 EDT 2001
According to Travis Farmer:
> How do i setup an alert to log remote SSH connections (just the headers and
> possibly the username used if possible).
username? you don't. That is after the encryption has taken over.
You can log a short bit of the connection before encryption takes hold
alert any any -> yourserver 22 (msg:"SSH to sensor"; flags:S; \
tag: session, 300, packets;)
Snort Rules Bastard
More information about the Snort-users