Snort mailing list archives
Alerting on logged in connections
From: Tewodros Ambasa via Snort-users <snort-users () lists snort org>
Date: Tue, 21 May 2019 12:53:44 +0200
Hello. I have been trying to detect SSH connections where a user has logged in successfully. I used the following alert: alert tcp any any -> 192.168.137.10 22 (msg:"Logged into SSH"; flow:to_server,established; sid:1000254; rev:001; classtype:misc-activity;) However, this also alerts on SSH connections that have not logged in. Is it possible to detect logged in SSH connections in Snort?
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Alerting on logged in connections Tewodros Ambasa via Snort-users (May 21)