[Snort-users] snort not alerting on same ip ssh attack after restart

wkitty42 at ...14940... wkitty42 at ...14940...
Sat Apr 9 00:59:07 EDT 2016


On 04/08/2016 03:42 PM, John Devine wrote:
> what is the IP of your snort box?
> 10.31.40.20
> what are your HOME_NET and EXTERNAL_NET values?
> var HOME_NET
> [10.31.2.78,10.31.2.79,172.17.0.0/24,192.168.11.0/24,192.168.50.15,127.0.0.1]
> var EXTERNAL_NET !$HOME_NET

ok, it appears that you are attacking from outside your defined HOME_NET so the 
rule should trigger...

> My hunch is that there is a specification in some specific rule which is overriding
> any global filter I have in place causing the alerts to stop firing after one
> attack.
> Unfortunately, modifying that specific rule is not an option for me as I update
> the rules
> automatically and don't customize any of them so that would not be a long term fix.

if you are using pulledpork or the older oinkmaster they have a config section 
to be able to modify specific rules... generally the option is disablesid and 
your list an SID to be commented out...

> I foudn the rule in question in emerging-scan.rules:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan";
> flags:S,12; threshold: type both, track by_src, count 5, seconds 120;
> reference:url,en.wikipedia.org/wiki/Brute_force_attack;
> reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon;
> sid:2001219; rev:19;)

yes, that's in the rule itself... the rule is looking only for SYN packets 
(flags:S:12) starting the three-way handshake... the timing is inside the rule...

   threshold: type both, track by_src, count 5, seconds 120;

the best thing to do is to do like i wrote before unless you want to try playing 
with the updater's modifysid option...

1. copy the rule to your local.rules file...

2. change the SID number in it to something over 10000000... all your local 
rules should be in this range and it should not be used in any other rules sets 
you use...

3. disable the original rule in the original file (emerging-scan.rules)...

4. edit this copy to remove the above threshold section or modify it how you 
want it...


-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list