[Snort-users] Building Alert rule

Joel Esler (jesler) jesler at ...589...
Thu May 7 13:26:22 EDT 2015

Have you looked into something like denyhosts?

Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group

On May 7, 2015, at 4:28 AM, May Smith <may24x at ...131...<mailto:may24x at ...7093...1...>> wrote:

Hi all,

I'm running CentOS with Snort

The box is online just for a couple of days and I can already see that I'm under attack
Somebody is hammering against port 22 trying to get access.

However, since I'm connecting from various places, my IP keeps changing every time.
So adding an IP to an ignore test won't help me.

So what I need is to create a rule that sends out an alert if some IP fails to login more than three times
but won't alert if login is successful.

Is that possible ? And if so, how ?

One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150507/6643966f/attachment.html>

More information about the Snort-users mailing list