[Oisf-users] Question about SSH scan detection, thresholds and flowbits.

[Nelson, Cooper]

Hi all,

I'm looking to revamp our inbound SSH scanner detection mechanism to more accurately detect current attack trends.  I'm using the new(ish) ssh protocol handler to identify scanners by both port and application:

alert ssh $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"LOCAL SCAN SSH"; flow:established,to_server; threshold: type both, track by_src, count 10, seconds 60; classtype:misc-activity; sid:15; rev:1; metadata:created_at 2019_07_31, updated_at 2019_07_31;)

*However*, this is tagging legit use of SSH from remote systems to do automated batch processing.  Basically using it like RSH.  So I would prefer to do something like this to only tag IP pairs once per day:

alert ssh $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"LOCAL Inbound SSH connection"; flow:established,to_server; threshold: type both, track by_both, count 1, seconds 86400; classtype:misc-activity; sid:15; rev:1; metadata:created_at 2019_08_07, updated_at 2019_08_07;)

Then I want track if this goes over some threshold per 24 hour log rotation.  I could just count it using splunk or scripting, but I'm wondering if there is a way I could do it with flowbits maybe?  Or bake it into the signature itself?

-Coop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190807/29a9abfa/attachment-0001.html>