[Snort-users] Building Alert rule
may24x at ...131...
Thu May 7 04:28:10 EDT 2015
I'm running CentOS with Snort 188.8.131.52
The box is online just for a couple of days and I can already see that I'm under attackSomebody is hammering against port 22 trying to get access.
However, since I'm connecting from various places, my IP keeps changing every time.So adding an IP to an ignore test won't help me.
So what I need is to create a rule that sends out an alert if some IP fails to login more than three timesbut won't alert if login is successful.
Is that possible ? And if so, how ?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users