Snort mailing list archives
Re: Snort rules
From: Elliot Anderson <new.http.451 () gmail com>
Date: Fri, 18 Mar 2016 11:03:22 +0200
Hey, it is a rule to trigger (or block if you have inline sensors) connection attempts (flags:S - SYN/ brute force attempts) towards your SSH services (HOME_NET 22). It will alert of 5 failed attempts in 30 seconds (count 5, seconds 30) from one IP (track by_src). E.
On 18 Mar 2016, at 09:22, ARUN LAL <arunlal7701 () gmail com> wrote: Hi All, Can anyone explain this rule. ------------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 30; reference:url,en.wikipedia.org/wiki/Brute_force_attack <http://en.wikipedia.org/wiki/Brute_force_attack>; reference:url,doc.emergingthreats.net/2001219 <http://doc.emergingthreats.net/2001219>; classtype:attempted-recon; react:block; sid:20000201; rev:19;) -------------------------------- react:block will help us for blocking the IP? ------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Transform Data into Opportunity. Accelerate data analysis in your applications with Intel Data Analytics Acceleration Library. Click to learn more. http://pubads.g.doubleclick.net/gampad/clk?id=278785231&iu=/4140
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Snort rules ARUN LAL (Mar 18)
- Re: Snort rules Elliot Anderson (Mar 18)