[unisog] Tool to find ssh attacks in argus logs
sbernard at gmu.edu
Tue Nov 6 15:46:05 GMT 2001
You could setup a honeypot running a slightly customized sshd. At the point
that sshd has decrypted the incoming data stream have it split the output
between stdout and a log.
From: r.fulton at auckland.ac.nz [mailto:r.fulton at auckland.ac.nz]
Sent: Monday, November 05, 2001 2:54 PM
To: Chris Hallenbeck
Cc: unisog at sans.org
Subject: Re: [unisog] Tool to find ssh attacks in argus logs
On Mon, 5 Nov 2001 09:27:13 -0500 (EST) Chris Hallenbeck
<cthallen at binghamton.edu> wrote:
> Do you (or anyone else) have a Snort, or snort-like, compatible IDS
> signature for this particular attack?
I asked this very question on the snort user's mailing list last week
but received no replies. I assume the problem is that the data stream
is encrypted and the finger prints that could be used by NIDS are
Encryption is indeed a two edged sword!
Hmmmm... Does the ISS NIDS have rules for this attack?
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the unisog