[Snort-users] Rule for detecting ssh

basant subba basantsubba at ...11827...
Wed Jun 25 07:45:28 EDT 2014

I want to write a rule to detect a ssh login attempt from HOME_NET to
server with IP How do I go about it? This is as far as I
could get but it looks far from complete signature to detect ssh login

alert tcp $HOME_NET any -> 22 (msg:"ssh Login Attempt";
flow:established, to_server; content:"ssh "; sid:10000001; rev:1;)

How do I write the pcre part for this signature? Can any1 help?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140625/8edc7058/attachment.html>

More information about the Snort-users mailing list