[Oisf-users] doc for ssh parser
Victor Julien
lists at inliniac.net
Fri Dec 19 09:04:28 UTC 2014
On 12/19/2014 02:33 AM, Russell Fulton wrote:
>
> On 18/12/2014, at 10:03 am, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>
>> Hi
>>
>> I want to do some custom rules for ssh brute force and would like to leverage the ssh parser.
>>
>> What I want to do initially is just count *established* ssh sessions and alert on thresholds. The current rules trigger on scans and brute force since they alert on flags S12.
>
> I am getting alerts from “alert ssh ……” is there a way to get just one alert per TCP session?
>
> eve.json ssh logs just once per session — I want to combine this with a threshold to distinguish brute force from scanning.
Couple of things to try (all untested):
Set flowbit and check for it:
alert ssh ... (flowbit:isnotset,ssh; flowbit:set,ssh; ...)
app-layer-protocol: keyword, as it hooks into the detect engine differently:
alert ssh ... (app-layer-protocol:ssh; ...)
Or even:
alert tcp ... -> any 22 (app-layer-protocol:ssh; ...)
You may want to enable profiling and see which works best.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list