[Oisf-users] doc for ssh parser

Russell Fulton r.fulton at auckland.ac.nz
Fri Dec 19 01:33:33 UTC 2014

On 18/12/2014, at 10:03 am, Russell Fulton <r.fulton at auckland.ac.nz> wrote:

> Hi
> I want to do some custom rules for ssh brute force and would like to leverage the ssh parser.
> What I want to do initially is just count *established* ssh sessions and alert on thresholds.  The current rules trigger on scans and brute force since they alert on flags S12.

I am getting alerts from “alert ssh ……” is there a way to get just one alert per TCP session?

eve.json ssh logs just once per session — I want to combine this with a threshold to distinguish brute force from scanning.


More information about the Oisf-users mailing list