[Snort-sigs] SSH brute force attack sig

Does anyone have one?

I put together a very simple one to catch *outgoing* evil, but I'm 
wondering if anyone has packet captures that would help with content 
definitions.

Here's the rule I wrote:

# New rule for catching ssh brute-force attacks
alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack"; threshold: 
type both, track by_src, count 2000, seconds 60; classtype:trojan-activity; 
sid:1000281; rev:2;)

It's catching some legitimate sessions, so I'l probably need to raise the 
threshold more, but I'm wondering if there's a packet capture that has 
something unique the rule could trigger on.

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs