the full-disclosure list had a long talk about all this, maybe two or
three talks actually, interesting stuff... try to look for an archive
online.
-John
On Wed, 08 Sep 2004 23:26:49 -0500, Jeff Price <misterunix@cox.net> wrote:
Federico Petronio wrote:
Brian wrote:
On Mon, Aug 23, 2004 at 01:17:00PM -0500, Matthew Jonkman wrote:
Seeing a ton of ssh brute force attempts against boxes all over the
place. None successful since they're concentrating on root, but the
rate is low enough that the portscan preprocessors aren't getting
them (at the thresholds we usually use)
So I put this rule up on bleedingsnort.com:
alert tcp any any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH
Brute Force Attack"; flow:to_server,established; threshold:type
limit, track by_dst, count 5, seconds 60; classtype:attempted-dos;
sid:2001219; rev:1;)
5 ssh connects in 60 seconds from one source is generally unusual.
Except that isn't what your rule states. You are using by_dst, not
by_src.
Your current rule states:
if you see 5 connections to one destination within a 60 second
window, alert.
uh... better hope you are not running a moderately used SSH server and
using bleeding edge rules.
Actually I think none of those... I get some hits on this rule and
read about "threshold" in Snort Manual.
As I understand, that rule talk about "alert ONLY in the first 5
events" (in both cases).
If we want "after 5 events in less than 60 seconds, generate an
alert", I think the rule should be like:
alert tcp any any -> $HOME_NET 22 ( sid: 2001219; rev: 2; msg:
"BLEEDING-EDGE Potential SSH Brute Force Attack"; flow:
to_server,established; flags: S; threshold: type threshold, track
by_dst, count 5, seconds 60; classtype: attempted-dos;)
or
alert tcp any any -> $HOME_NET 22 ( sid: 2001219; rev: 2; msg:
"BLEEDING-EDGE Potential SSH Brute Force Attack"; flow:
to_server,established; flags: S; threshold: type threshold, track
by_src, count 5, seconds 60; classtype: attempted-dos;)
Saludos!
Where can I look to find out about these attacks, most of my systems
have seen this traffic? I haven't been able to find out if this is a
worm or somebody running a script on their system.
Thanks in advance.
Jeff Price
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
John Nagro
john.nagro@gmail.com
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
