[Oisf-users] doc for ssh parser
Russell Fulton
r.fulton at auckland.ac.nz
Fri Dec 19 01:33:33 UTC 2014
On 18/12/2014, at 10:03 am, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
> Hi
>
> I want to do some custom rules for ssh brute force and would like to leverage the ssh parser.
>
> What I want to do initially is just count *established* ssh sessions and alert on thresholds. The current rules trigger on scans and brute force since they alert on flags S12.
I am getting alerts from “alert ssh ……” is there a way to get just one alert per TCP session?
eve.json ssh logs just once per session — I want to combine this with a threshold to distinguish brute force from scanning.
Russell
More information about the Oisf-users
mailing list