[Snort-users] Building Alert rule

Joel Esler (jesler) jesler at ...589...
Thu May 7 13:26:22 EDT 2015


Have you looked into something like denyhosts?

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group

On May 7, 2015, at 4:28 AM, May Smith <may24x at ...131...<mailto:may24x at ...7093...1...>> wrote:

Hi all,

I'm running CentOS with Snort 2.9.7.2

The box is online just for a couple of days and I can already see that I'm under attack
Somebody is hammering against port 22 trying to get access.

However, since I'm connecting from various places, my IP keeps changing every time.
So adding an IP to an ignore test won't help me.

So what I need is to create a rule that sends out an alert if some IP fails to login more than three times
but won't alert if login is successful.

Is that possible ? And if so, how ?

regards
may
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150507/6643966f/attachment.html>


More information about the Snort-users mailing list