Using snort/suricata, I want to generate an SSH alert for every failed login to my Home Network

ssh alert rules snort suricata
13,058

Since you are really attempting to look at the encrypted content (which is where the authentication and subsequent failure message will be), Snort/suricata isn't the ideal tool to use in the way that you describe. Instead, log monitoring would be a better approach.

There are other alternatives, however. You might look into Fail2Ban for automatic blocking at the IPTables level.

If you really want to do it with Snort/Suricata, you could use alert thresholds. For example:

 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Possible SSH brute forcing!"; flags: S+; threshold: type both, track by_src, count 5, seconds 30; sid:10000001; rev: 1;)

This tells Snort/Suricata to generate an alert on inbound connections (inbound packets with SYN set) when a threshold of 5 connections are seen from a single source in the space of 30 seconds. The threshold "both" indicates that it will not alert until this threshold is passed and that it will only generate one alert to notify you, rather than starting to inundate you with alerts.

Note that I have marked the flags as S+. Don't use just SYN. Remember that ECN has become a real "thing" and that you may find that the two bits that Snort/Suricata still call "Reserved" are set as a result of an ECN negotiation.

Share:
13,058
Siddesh S
Author by

Siddesh S

Updated on July 28, 2022

Comments

  • Siddesh S
    Siddesh S almost 2 years

    I am setting up an Intrusion Detection System (IDS) using Suricata. I want to write a custom rule which will generate an alert whenever a failed login attempts occur to my virtual machine.

    Example:

    alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt";flow:established,to_server;content:"SSH";nocase;offset:0; depth:4;detection_filter:track by_src, count 2, seconds 2;sid:2005; rev:1;)

    I tried various combinations for SSH rule but not able to see any alerts in the Suricata Alerts section with multiple bad SSH attempts. (Bad attempts => using invalid password to generate alerts)

    Kindly let me know how to go about this.

  • Reda Drissi
    Reda Drissi about 4 years
    I have used your rule, to test it I tried a bunch of ssh local_ip and it doesn't work, my sshd has password authentication disabled, so I'm only getting the usual permission denied(publickey) message. I changed external/home to any. I'm getting this error: rule 10000001: SYN-only to port(s) 22:22 w/o direction specified, disabling for toclient direction Any idea why?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Show loading indicator only if there's no exceptions in Flutter
Start an Alert by opening page with Flutter web
Why is flutter pub get not finding my ssh-key for github?
Is there a way to configure willPopScope to catch a custom pop navigation in flutter?
Dialog box is not closing flutter
How to Display Progress Wheel/Bar between Flutter transitions?
Flutter Firestore permissions denied
CentOS 7 Minimal Installation on Hyper-V: X11 forwarding using Xming and PuTTy error, xhost: unable to open display ":0.0"
ssh -T [email protected] Permission denied (publickey)
How to transparently monitor SSH access/network traffic in Gentoo/general linux?