[unisog] Tool to find ssh attacks in argus logs

Russell Fulton r.fulton at auckland.ac.nz
Tue Nov 6 00:47:17 GMT 2001

Hi Glenn,

On Mon, 5 Nov 2001 15:14:17 -0600 (CST) Glenn Forbes Fleming Larratt 
<glratt at rice.edu> wrote:

> For those of us using other than argus, any chance of this for snort/tcpdump
> logs, or written in pseudo-code that's less argus-specific?

ummm... not easily.  The problem is that argus does all the hard work 
of reassembling the tcp streams into a single compact record.  Netramet 
(from UoA) could be used to do the same job.  Once you have a list of 
network flows from argus or some other source then spotting the ssh 
attacks is fairly trivial.  Basically what the script does is look for 
any sources IP which has lots of ssh sessions which send about 100K of 
data and receive ~ 300 bytes.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list