[Snort-users] snort not alerting on same ip ssh attack after restart

John Devine john.devine at ...17485...
Fri Apr 8 14:06:13 EDT 2016

Hi all,

I am testing alerts on snort on a box running debian by using a mock ssh attack to trigger one of snort's default rules. The rule is generated after 5 ssh attempts are made within 60 seconds. I am using snort as-is; I have created no custom rules. I can reproduce this about once a day but after a reboot of the box or restart of snort it will not generate an alert after using the same mock ssh attack even when I 'attack' it from a different IP. My guess is that there is some default local event filter for a specific rule that prevents the alert from generating again within a certain timeframe. I tried creating a global event filter (event_filter gen_id 0, sig_id 0, type both, track by_src, count -1, seconds 1) in the hope of circumventing all time limits and thresholds that could be preventing snort from alerting. Is there a way to disable any default filters that are preventing snort from generating multiples of the same alerts? If that is even the problem. Essentially, I want snort to be able to generate the same alert every time it happens which is currently does not.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160408/cd055aaa/attachment.html>

More information about the Snort-users mailing list