[unisog] Tool to find ssh attacks in argus logs
Russell Fulton
r.fulton at auckland.ac.nz
Tue Nov 6 00:47:17 GMT 2001
Hi Glenn,
On Mon, 5 Nov 2001 15:14:17 -0600 (CST) Glenn Forbes Fleming Larratt
<glratt at rice.edu> wrote:
> For those of us using other than argus, any chance of this for snort/tcpdump
> logs, or written in pseudo-code that's less argus-specific?
ummm... not easily. The problem is that argus does all the hard work
of reassembling the tcp streams into a single compact record. Netramet
(from UoA) could be used to do the same job. Once you have a list of
network flows from argus or some other source then spotting the ssh
attacks is fairly trivial. Basically what the script does is look for
any sources IP which has lots of ssh sessions which send about 100K of
data and receive ~ 300 bytes.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the unisog
mailing list