[Snort-users] Alert not detected once

João Mota joao at ...13547...
Thu May 11 10:39:01 EDT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello snorters,

A strange thing happened in my snort box. I'm only using snort to
block ssh brute force attacks. I'm using it with snortsam and, because
I couldn't patch the current snort version, I'm using the one already
patched avaible at the snortsam web site (v 2.4.3 Build 26).
Everything was working great (26 sucessfull blocks) until yesterday
when a brute force attack was missed (doesn't show in the snort logs).
The system logs showed over 70 login failures in less than 10 minutes
and I have a threshold of 5 SYN packets to the port 22 per minute. The
rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
Potential SSH Scan"; flags: S; threshold: type threshold, track
by_src, count 5, seconds 60; sid: 2001219; rev:12; fwsam:
src[either],5min; )

Another attack after that one was still detected. Does anyone have a
clue why did this happened? Was there a bugfix related to this in more
recente snort releases?

Thanks

- --
João Mota <joao at ...13547...>
3GNTW - Tecnologias de Informação, Lda

sip: joao at ...13547...
jid: joao at ...13811...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEY3beGDPTPBuCkZgRAhbcAJ9RxFAKsRh1OmnN1w9ovjHa0QweHQCfSjmf
CvwHekRBoMIPlkwQ0zFb2PU=
=Kzxs
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list