[Snort-users] snort not alerting on same ip ssh attack after restart

wkitty42 at ...14940... wkitty42 at ...14940...
Fri Apr 8 14:53:11 EDT 2016

On 04/08/2016 02:06 PM, John Devine wrote:
> Hi all,
> I am testing alerts on snort on a box running debian by using a mock ssh
> attack to trigger one of snort's default rules. The rule is generated after 5

i'm not aware of snort having any "default rules"... at least not by that type 
of naming... which rule are you talking about?

> ssh attempts are made within 60 seconds. I am using snort as-is; I have created
> no custom rules. I can reproduce this about once a day but after a reboot of the
> box or restart of snort it will not generate an alert after using the same mock
> ssh attack even when I 'attack' it from a different IP. My guess is that there

what IPs are you testing from?
which one works and which does not?
what is the IP of your snort box?
what are your HOME_NET and EXTERNAL_NET values?

> is some default local event filter for a specific rule that prevents the alert
> from generating again within a certain timeframe. I tried creating a global
> event filter (event_filter gen_id 0, sig_id 0, type both, track by_src, count
> -1, seconds 1) in the hope of circumventing all time limits and thresholds that
> could be preventing snort from alerting. Is there a way to disable any default
> filters that are preventing snort from generating multiples of the same alerts?

no... not without rewriting the rule... in your case, it would basically mean 
copying that rule to your local.rules file, modifying it as needed, making sure 
to change the SID number (very important) and commenting out the original rule 
in the original .rules file...

> If that is even the problem. Essentially, I want snort to be able to generate
> the same alert every time it happens which is currently does not.

post your answers to the above five questions to the list and let's see what we 
can do :)

  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-users mailing list