[Snort-users] Rule for detecting ssh

Shirkdog shirkdog at ...11827...
Wed Jun 25 08:49:21 EDT 2014


Add nocase; after your content.
On Jun 25, 2014 7:48 AM, "basant subba" <basantsubba at ...11827...> wrote:

> I want to write a rule to detect a ssh login attempt from HOME_NET to
> server with IP 172.16.24.253. How do I go about it? This is as far as I
> could get but it looks far from complete signature to detect ssh login
> attempt.
>
> alert tcp $HOME_NET any -> 172.16.24.253 22 (msg:"ssh Login Attempt";
> flow:established, to_server; content:"ssh "; sid:10000001; rev:1;)
>
> How do I write the pcre part for this signature? Can any1 help?
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140625/d2ed74a4/attachment.html>


More information about the Snort-users mailing list