[Snort-users] Identify outbound SSH connections

Y M snort at ...15979...
Tue Jan 8 22:45:22 EST 2013

Check sid: 13586 from the VRT tarball, it can be good starting point.

From: Craig Merchant<mailto:cmerchant at ...16022...>
Sent: ‎1/‎9/‎2013 5:15 AM
To: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: [Snort-users] Identify outbound SSH connections

Is there a rule in the emerging threats or sourcefire rule base that will identify an SSH or SSL connection that goes from $HOME_NET -> !$HOME_NET, particularly on non-standard ports?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130109/c30d6b16/attachment.html>
-------------- next part --------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
-------------- next part --------------
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list