[Snort-users] Alert not detected once

Daniel Cid danielcid at ...6873...
Sun May 14 14:52:24 EDT 2006

Hi Joao,

I think you are trying to use the wrong tool for that.
Snort do not have access to the content of the ssh
messages, so you don't know what is going on there
(if the login failed, succeeded, etc).
In addition to that, in just one session (or just one
Syn), a user may attempt 2 or 3 or more passwords
(depending on the sshd server config).

I really recommend you to use a log analysis tool
to solve this kind of problem. You will be able to
see the server response, the user name tried and
exactly the number of attempts. I have been using
ossec hids (I'm one of the developers) for that and 
it is working great. 

In addition to that, most of the people don't know,
but ossec can analyse snort logs and execute actions
based on them in a "safe" manner. For example, you
can configure it to block an IP if we see 5 snort
alerts within 1 minute for that IP (or if we see an
alert from a specific category, etc). It avoids
false-positives and make the active response much
more reliable...

*Example of alert from ossec on multiple ssh failed
logins (it will mail and administrator and block the

OSSEC HIDS Notification.
2006 May 11 21:17:07

Received From: /var/log/messages
Rule: 1512 fired (level 10) -> "SSHD brute force
trying to get access to the system.'"
Portion of the log(s):

sshd[9370]: Failed password for invalid user admin
from port 58257 ssh2
sshd[9370]: Invalid user admin from
sshd[9368]: Failed password for invalid user fluffy
from port 58212 ssh2
sshd[9368]: Invalid user fluffy from
sshd[9366]: Failed password for invalid user slasher
from port 58109 ssh2
sshd[9366]: Invalid user slasher from
sshd[9364]: Failed password for invalid user sifak
from port 58030 ssh2

Sorry if I changed the subject too much :)


Daniel B. Cid
dcid @ ( at ) ossec.net

>Hello snorters,
>A strange thing happened in my snort box. I'm only
>using snort to
>block ssh brute force attacks. I'm using it with
>snortsam and, because
>I couldn't patch the current snort version, I'm using
>the one already
>patched avaible at the snortsam web site (v 2.4.3
>Build 26).
>Everything was working great (26 sucessfull blocks)
>until yesterday
>when a brute force attack was missed (doesn't show in
>the snort logs).
>The system logs showed over 70 login failures in less
>than 10 minutes
>and I have a threshold of 5 SYN packets to the port
22 >per minute. The
>alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:
>Potential SSH Scan"; flags: S; threshold: type
>threshold, track
>by_src, count 5, seconds 60; sid: 2001219; rev:12;
>src[either],5min; )
>Another attack after that one was still detected.
Does >anyone have a
>clue why did this happened? Was there a bugfix
related >to this in more
>recente snort releases?
>- --
>João Mota <joao at ...13547...>
>3GNTW - Tecnologias de Informação, Lda
>sip: joao at ...13547...
>jid: joao at ...13811...

Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz. 

More information about the Snort-users mailing list