Snort mailing list archives
Re: snort not alerting on same ip ssh attack after restart
From: wkitty42 () windstream net
Date: Sat, 9 Apr 2016 00:59:07 -0400
On 04/08/2016 03:42 PM, John Devine wrote:
what is the IP of your snort box? 10.31.40.20 what are your HOME_NET and EXTERNAL_NET values? var HOME_NET [10.31.2.78,10.31.2.79,172.17.0.0/24,192.168.11.0/24,192.168.50.15,127.0.0.1] var EXTERNAL_NET !$HOME_NET
ok, it appears that you are attacking from outside your defined HOME_NET so the rule should trigger...
My hunch is that there is a specification in some specific rule which is overriding any global filter I have in place causing the alerts to stop firing after one attack. Unfortunately, modifying that specific rule is not an option for me as I update the rules automatically and don't customize any of them so that would not be a long term fix.
if you are using pulledpork or the older oinkmaster they have a config section to be able to modify specific rules... generally the option is disablesid and your list an SID to be commented out...
I foudn the rule in question in emerging-scan.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:19;)
yes, that's in the rule itself... the rule is looking only for SYN packets (flags:S:12) starting the three-way handshake... the timing is inside the rule... threshold: type both, track by_src, count 5, seconds 120; the best thing to do is to do like i wrote before unless you want to try playing with the updater's modifysid option... 1. copy the rule to your local.rules file... 2. change the SID number in it to something over 10000000... all your local rules should be in this range and it should not be used in any other rules sets you use... 3. disable the original rule in the original file (emerging-scan.rules)... 4. edit this copy to remove the above threshold section or modify it how you want it... -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! http://pubads.g.doubleclick.net/ gampad/clk?id=1444514301&iu=/ca-pub-7940484522588532 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart wkitty42 (Apr 08)
- <Possible follow-ups>
- Re: snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart John Devine (Apr 08)
- Re: snort not alerting on same ip ssh attack after restart wkitty42 (Apr 08)