[Snort-users] possable ssh attack

Jeremy Hoel jthoel at ...11827...
Mon Jun 30 00:56:14 EDT 2014


All this alert tells you (based on the rule you wrote) is that someone is
connecting to your server on port 22.  You have system logs that can show
you what they are doing to the service, if they are trying to use different
accounts, etc.

Search the vrt community rule set for other ssh rules that might provide
more information.


On Sat, Jun 28, 2014 at 7:16 AM, Nikola Vulovic <nivukiki at ...11827...> wrote:

> I am  trying snort for the first time,
>  got a bit of panic.
> I suspect someone was trying to bruteforce ssh
> I have attached alert file, and rule that i made
> and lookup from ip
> $ geoiplookup -f /usr/share/GeoIP/GeoLiteCity.dat 194.102.58.6
> GeoIP City Edition, Rev 1: RO, 10, Bucuresti, Bucharest, N/A, 44.433300,
> 26.100000, 0, 0
> $ geoiplookup -d /usr/share/GeoIP/ 194.102.58.6
> GeoIP Country Edition: RO, Romania
> GeoIP ASNum Edition: AS2614 Agentia de Administrare a Retelei Nationale de
> Informatica pentru Educatie si Cercetare
> Are my suspicions correct?
>
>
> --
> Nikola Vulovic
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140629/b1a50c21/attachment.html>


More information about the Snort-users mailing list