Re: Re: alert logging of non local lan SSH connections.

[Marsiske Stefan <stefan.marsiske () sysdata siemens hu>]

ssh puts the username into your syslog, on a new connection. and i think some
other stuff also (successful identification/or not)

On Tue, Sep 18, 2001 at 11:06:04PM -0400, Brian wrote:
> According to Travis Farmer:
> > How do i setup an alert to log remote SSH connections (just the headers and 
> > possibly the username used if possible).
>
> username?  you don't.  That is after the encryption has taken over.
>
> You can log a short bit of the connection before encryption takes hold
> with this.
>
> alert any any -> yourserver 22 (msg:"SSH to sensor"; flags:S; \
>       tag: session, 300, packets;)
>
> -- 
> Brian Caswell
> Snort Rules Bastard
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
---end quoted text---

-- 
Stefan [http://web.interware.hu/stef] UPDATED:001031
gpg-key: http://web.interware.hu/stef/gpg.txt
quote: "Hackers do not feel that leisure time is automatically any more
meaningful than work time. The desirability of both depends on how they are
realized. From the point of a view of a meaningful life, the entire
work/leisure duality must be abandoned. As long as we are living our work or
our leisure, we are not even truly living. Meaning cannot be found in work or
leisure but has to arise out of the nature of the activity itself. Out of
passion. Social value. Creativity."

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users