[Snort-users] Alerting on logged in connections
black.ambasa at gmail.com
Tue May 21 06:53:44 EDT 2019
Hello. I have been trying to detect SSH connections where a user has logged
I used the following alert:
alert tcp any any -> 192.168.137.10 22 (msg:"Logged into SSH";
flow:to_server,established; sid:1000254; rev:001; classtype:misc-activity;)
However, this also alerts on SSH connections that have not logged in.
Is it possible to detect logged in SSH connections in Snort?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users