Re: snort rules

["Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>]

I believe the "SSH" banner would be going the other way.. (192.168.1.50 22 -> 192.168.1.30 any)

On Jul 23, 2018, at 3:29 PM, Jean Michel Tangué via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () 
lists snort org>> wrote:

alert tcp 192.168.1.30 any -> 192.168.1.50 22 (
msg:"SSH Brute Force Attempt";
flow:established,to_server;
content:"SSH"; nocase; offset:0; depth:4;
detection_filter:track by_src, count 3, seconds 60;
sid:10000001; rev:1;)


I wrote this rule so that when Yura more than three failed SSH connection attempts that there is an alert but it is not 
working. Are this the rule that is badly written ?? Or if not I ask the exact writing of the rule. Thank you very much 
for helping me.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org>
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!