[Snort-users] Rule for detecting ssh

basant subba basantsubba at ...11827...
Wed Jun 25 07:45:28 EDT 2014


I want to write a rule to detect a ssh login attempt from HOME_NET to
server with IP 172.16.24.253. How do I go about it? This is as far as I
could get but it looks far from complete signature to detect ssh login
attempt.

alert tcp $HOME_NET any -> 172.16.24.253 22 (msg:"ssh Login Attempt";
flow:established, to_server; content:"ssh "; sid:10000001; rev:1;)

How do I write the pcre part for this signature? Can any1 help?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140625/8edc7058/attachment.html>


More information about the Snort-users mailing list