Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Alerting on logged in connections

From: Tewodros Ambasa via Snort-users <snort-users () lists snort org>
Date: Tue, 21 May 2019 12:53:44 +0200
Hello. I have been trying to detect SSH connections where a user has logged
in successfully.

I used the following alert:

alert tcp any any -> 192.168.137.10 22 (msg:"Logged into SSH";
flow:to_server,established; sid:1000254; rev:001; classtype:misc-activity;)

However, this also alerts on SSH connections that have not logged in.

Is it possible to detect logged in SSH connections in Snort?

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Previous By Date Next
Previous By Thread Next

Current thread: