Snort mailing list archives
Re: snort rules
From: "Joel Esler \(jesler\) via Snort-sigs" <snort-sigs () lists snort org>
Date: Mon, 23 Jul 2018 20:00:15 +0000
I believe the "SSH" banner would be going the other way.. (192.168.1.50 22 -> 192.168.1.30 any) On Jul 23, 2018, at 3:29 PM, Jean Michel Tangué via Snort-sigs <snort-sigs () lists snort org<mailto:snort-sigs () lists snort org>> wrote: alert tcp 192.168.1.30 any -> 192.168.1.50 22 ( msg:"SSH Brute Force Attempt"; flow:established,to_server; content:"SSH"; nocase; offset:0; depth:4; detection_filter:track by_src, count 3, seconds 60; sid:10000001; rev:1;) I wrote this rule so that when Yura more than three failed SSH connection attempts that there is an alert but it is not working. Are this the rule that is badly written ?? Or if not I ask the exact writing of the rule. Thank you very much for helping me. _______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org<mailto:Snort-sigs () lists snort org> https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort rules Jean Michel Tangué via Snort-sigs (Jul 22)
- Re: Snort rules Y M via Snort-sigs (Jul 22)
- <Possible follow-ups>
- Snort rules Jean Michel Tangué via Snort-sigs (Jul 22)
- Re: Snort rules Y M via Snort-sigs (Jul 22)
- Snort rules jeanmicheltangue via Snort-users (Jul 23)
- Re: Snort rules Y M via Snort-users (Jul 24)
- Snort rules jeanmicheltangue via Snort-users (Jul 23)
- Re: Snort rules Y M via Snort-users (Jul 24)
- snort rules Jean Michel Tangué via Snort-sigs (Jul 23)
- Re: snort rules Joel Esler (jesler) via Snort-sigs (Jul 23)
- Re: snort rules wkitty42--- via Snort-sigs (Jul 23)
- Re: snort rules Joel Esler (jesler) via Snort-sigs (Jul 23)