[Snort-users] Rule for detecting ssh

Arvid Van Essche arvid at ...16782...
Mon Apr 28 05:20:55 EDT 2014


If you search the available snort signatures, you will find several SSH
related ones.
Sig ID: 19559 is by default disabled and is used for SSH BruteForce
I would suggest you get some inspiration from this one. I would recommend
to look into some rate limiting if you create a signature to match on every
SSH packet/SSH-SYN packet.

# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH
brute force login attempt"; flow:to_server,established; content:"SSH-";
depth:4; detection_filter:track by_src, count 5, seconds 60;
metadata:service ssh; classtype:misc-activity; sid:19559; rev:5;)

Best regards,
Arvid Van Essche
Op 28-apr.-2014 07:48 schreef "basant subba" <basantsubba at ...11827...>:

> I want to write a rule to detect ssh connection request. How do I go about
> it?
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.  Get
> unparalleled scalability from the best Selenium testing platform available.
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140428/bcebd89e/attachment.html>

More information about the Snort-users mailing list