Snort mailing list archives
Re: Building Alert rule
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 7 May 2015 17:26:22 +0000
Have you looked into something like denyhosts? -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On May 7, 2015, at 4:28 AM, May Smith <may24x () yahoo com<mailto:may24x () yahoo com>> wrote: Hi all, I'm running CentOS with Snort 2.9.7.2 The box is online just for a couple of days and I can already see that I'm under attack Somebody is hammering against port 22 trying to get access. However, since I'm connecting from various places, my IP keeps changing every time. So adding an IP to an ignore test won't help me. So what I need is to create a rule that sends out an alert if some IP fails to login more than three times but won't alert if login is successful. Is that possible ? And if so, how ? regards may ------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Building Alert rule May Smith (May 07)
- Re: Building Alert rule Al Lewis (allewi) (May 07)
- Re: Building Alert rule Joel Esler (jesler) (May 07)