[Snort-users] Monitor Authentication

Chris Sandford chris.sandford at ...17499...
Tue Jan 24 09:48:42 EST 2017


Looking to run Snort to monitor authentication attempts on external facing devices.

Does anyone have an example of a rule looking at a single IP of a device for monitoring login attempts. The rule would alert for failed and successful logins if detected.

In my example the login method would be to monitor SSH login attempts on an external facing device, although this is blocked by default it would be good to monitor for attempted logon requests.


SMS Head Office : Starling House, Lancelot Road, Beacon Park, Gorleston-on-Sea, Great Yarmouth, Norfolk, NR31 7BF
Tel: +44 (0)1493  655515 Fax: +44 (0)1493 655516
Website: www.sms-alderley.com  Email: enquiries at ...17499...

This email and its contents are confidential and are solely for the use of the intended recipient. If you are not the original recipient you have received it in error and any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. Should you receive this email in error please immediately notify helpdesk at ...17500...  This email has been scanned for viruses, trojans and malware however it is your responsibility to ensure your systems are protected that this email is properly scanned before opening.

SMS is a member of the Alderley Group.

It takes 24 trees to produce 1 tonne of office paper! Think… is it really necessary to print this email?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170124/bb022053/attachment.html>

More information about the Snort-users mailing list