[unisog] Tool to find ssh attacks in argus logs

Steve Bernard sbernard at gmu.edu
Tue Nov 6 15:46:05 GMT 2001

You could setup a honeypot running a slightly customized sshd. At the point
that sshd has decrypted the incoming data stream have it split the output
between stdout and a log.


-----Original Message-----
From: r.fulton at auckland.ac.nz [mailto:r.fulton at auckland.ac.nz]
Sent: Monday, November 05, 2001 2:54 PM
To: Chris Hallenbeck
Cc: unisog at sans.org
Subject: Re: [unisog] Tool to find ssh attacks in argus logs

On Mon, 5 Nov 2001 09:27:13 -0500 (EST) Chris Hallenbeck
<cthallen at binghamton.edu> wrote:

> Russell,
>   Do you (or anyone else) have a Snort, or snort-like, compatible IDS
> signature for this particular attack?

I asked this very question on the snort user's mailing list last week
but received no replies.  I assume the problem is that the data stream
is encrypted and the finger prints that could be used by NIDS are
therefore hidden.

Encryption is indeed a two edged sword!

Hmmmm... Does the ISS NIDS have rules for this attack?

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list