Here's what we have up there now:
alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH
Brute Force Attack"; flow:to_server,established; flags:S; threshold:type
limit, tr
ack by_src, count 5, seconds 60; classtype:attempted-dos; sid:2001219;
rev:3;)
ANd come to think of it I don't recall any good hits on it, but have
caught ssh scans in the logs. So it's broken.
I'll put up this version of yours:
alert tcp any any -> $HOME_NET 22 ( sid: 2001219; rev: 2; msg:
"BLEEDING-EDGE Potential SSH Brute Force Attack"; flow:
to_server,established; flags: S; threshold: type threshold, track
by_src, count 5, seconds 60; classtype: attempted-dos;)
and see how it flies.
Thanks
Matt
Federico Petronio wrote:
Actually I think none of those... I get some hits on this rule and
read about "threshold" in Snort Manual.
As I understand, that rule talk about "alert ONLY in the first 5
events" (in both cases).
If we want "after 5 events in less than 60 seconds, generate an
alert", I think the rule should be like:
alert tcp any any -> $HOME_NET 22 ( sid: 2001219; rev: 2; msg:
"BLEEDING-EDGE Potential SSH Brute Force Attack"; flow:
to_server,established; flags: S; threshold: type threshold, track
by_dst, count 5, seconds 60; classtype: attempted-dos;)
or
alert tcp any any -> $HOME_NET 22 ( sid: 2001219; rev: 2; msg:
"BLEEDING-EDGE Potential SSH Brute Force Attack"; flow:
to_server,established; flags: S; threshold: type threshold, track
by_src, count 5, seconds 60; classtype: attempted-dos;)
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
