New from Jabal Raval, interesting one:
#by Jabal Raval
# this string is very unlikely to be seen in normal traffic
alert tcp $EXTERNAL_NET any -> $HOME_NET 22
(msg:"BLEEDING-EDGE SCAN
LibSSH Based SSH Bruteforce Attempt"; flags:PA;
flow:established;
pcre:"/SSH-(1|2).0-.*libssh.*/";
classtype:misc-activity;
sid:2006435; rev:1;)
Let me know if you see falses on this. But I think it ought
to be
reliable, and a good indication of a brute force run.
Thanks Jabal.
Matt
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthr
eats.net
--------------------------------------------
PGP: http:/
/www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
