[Snort-users] Alerting on logged in connections

Tewodros Ambasa black.ambasa at gmail.com
Tue May 21 06:53:44 EDT 2019

Hello. I have been trying to detect SSH connections where a user has logged
in successfully.

I used the following alert:

alert tcp any any -> 22 (msg:"Logged into SSH";
flow:to_server,established; sid:1000254; rev:001; classtype:misc-activity;)

However, this also alerts on SSH connections that have not logged in.

Is it possible to detect logged in SSH connections in Snort?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190521/7f604f7c/attachment.html>

More information about the Snort-users mailing list