[unisog] Tool to find ssh attacks in argus logs

Andreas Östling andreaso at it.su.se
Mon Nov 5 21:08:35 GMT 2001


On Tue, 6 Nov 2001, Russell Fulton wrote:

> I asked this very question on the snort user's mailing list last week
> but received no replies.  I assume the problem is that the data stream
> is encrypted and the finger prints that could be used by NIDS are
> therefore hidden.

Actually, check out http://www.snort.org/downloads/snortrules.tar.gz
(rules/exploit.rules).
A few ssh rules (regarding the CRC32 bug) were added a couple of days ago.

Regards,
Andreas Östling



More information about the unisog mailing list