[Oisf-users] doc for ssh parser

Victor Julien lists at inliniac.net
Fri Dec 19 09:04:28 UTC 2014

On 12/19/2014 02:33 AM, Russell Fulton wrote:
> On 18/12/2014, at 10:03 am, Russell Fulton <r.fulton at auckland.ac.nz> wrote:
>> Hi
>> I want to do some custom rules for ssh brute force and would like to leverage the ssh parser.
>> What I want to do initially is just count *established* ssh sessions and alert on thresholds.  The current rules trigger on scans and brute force since they alert on flags S12.
> I am getting alerts from “alert ssh ……” is there a way to get just one alert per TCP session?
> eve.json ssh logs just once per session — I want to combine this with a threshold to distinguish brute force from scanning.

Couple of things to try (all untested):

Set flowbit and check for it:
alert ssh ... (flowbit:isnotset,ssh; flowbit:set,ssh; ...)

app-layer-protocol: keyword, as it hooks into the detect engine differently:
alert ssh ... (app-layer-protocol:ssh; ...)

Or even:
alert tcp ... -> any 22 (app-layer-protocol:ssh; ...)

You may want to enable profiling and see which works best.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list