Snort.org home  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Downloads Snort Docs Rules Snort Community Snort Forums Snort Training
Search Site
Search Rules
Account
email
password
not registered?
user preferences

Snort Forums Archive

Archive Home » Rules » ssh attack

Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.

[ Notice: Full Version of This Topic ]

ssh attack


Posted by havelino on March 10, 2005 03:05:47

Hi guys
[My English is not the best so my I'm sorry]

What i want to do is:
Wright a rule that only must be triggered if someone tried to login with ssh and used different user accounts and wrong passwords.

Any tips?

Hugo

Posted by maverick on March 10, 2005 06:10:01

It is extremely hard (if not impossible) to write generic content rules for encrypted protocols. Your best bet may be to monitor some thing like this bleeding-edge rule that triggers on multiple SSH hits in certain time period using the threshold modifier:

alert tcp any any -> $OWNED 22 ( sid:1003224; flow:to_server,established; flags:S; threshold:type threshold, track by_src, count 5, seconds 60; rev:4;)

Depending on the type of intruder you are trying to identify, you could modify the count and time interval of threshold.

Posted by novowels on March 10, 2005 10:04:03

flow:to_server,established; flags:S;
^^^^^^^^^^^ ^^^^^^^
How can you have flags:S on an established flow?

Posted by havelino on March 10, 2005 23:56:58

When is the rule triggerd then? After 5 attemps to login within 60 seconds?
I coldn't trigger the rule but had no succes.

Hugo

Posted by havelino on March 11, 2005 00:19:37

When is the rule triggerd then? After 5 attemps to login within 60 seconds?
I coldn't trigger the rule but had no succes.

Hugo

Posted by maverick on March 11, 2005 05:11:18

I just grabbed that rule as an example, I personally don't use it. I usually rely on flow-portscan to identify brute force or worm activity. You may want to pull the "flow:to_server,established;" out as novowels indicated or play with it a bit. As I indicated before, it is a bleeding-edge rule and they usually have minimal (if any) testing before being released. Make sure that you have the $OWNED variable defined or change the destination to be the servers you wish to watch.

Posted by havelino on March 13, 2005 02:10:25

TNQ

I'm experimenting with it now.

site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.