Below is a custom signature that would create an alert on traffic running from any source to any destination with a destination port of 22, on flags push and ack, every 600 seconds.
alert tcp any any -> any 22 (msg:"SSH TRAFFIC"; flags:PA; classtype:not-suspicious; threshold: type limit, track by_dst, count 1 , seconds 600 ; sid:1000001; rev:1;)
Adding the Rule
Add the rule to the local.rules file and then make sure the local.rules is not commented out in the /etc/snort file.
Select the Sensor on the Defense Centre, or if stand alone just on the sensor. Then import the rule and upload to the sensor.
Latest posts by Rick Donato (see all)
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become an IT Security expert?
Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial