Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] ssh cracking

19 views
Skip to first unread message

Balla István

unread,
May 11, 2013, 4:00:56 PM5/11/13
to
hey guys,

could you tell me what rule is for ssh pw cracking. e.g. when using hydra with -P xyz.lst?
thx

Michael Brown

unread,
May 11, 2013, 4:12:11 PM5/11/13
to
Are you saying that you want to determine what the pw is with Snort ? 


Thank you,

Michael A. Brown
B.S. Information Technology: Network Specialist
A.A.S. Information Technology: Technical Support

"The only thing for the triumph of evil is for good men to do nothing" -Edmund Burke


On Sat, May 11, 2013 at 4:11 PM, Michael Brown <mike.a....@gmail.com> wrote:
Bella

Are you saying that you want to determine what the pw is with Snort ? 

Thank you,

Michael A. Brown
B.S. Information Technology: Network Specialist
A.A.S. Information Technology: Technical Support

"The only thing for the triumph of evil is for good men to do nothing" -Edmund Burke


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!


Balla István

unread,
May 11, 2013, 4:27:04 PM5/11/13
to
:D cool idea...
sorry if i wasnt clear. i m attacking one of my vm (which runs an ssh server) with hydra cracking tool. snort is between the attacking and the attacked vm. i wonder which rule or signature detect that attack.


2013/5/11 Michael Brown <mike.a....@gmail.com>

Jeremy Hoel

unread,
May 11, 2013, 4:45:38 PM5/11/13
to
If you do a pcap of a normal login, and one that is being attempted bu
the hydra tool.. are there any differences? ie: After the key
exchange, do you see anything? Is the key different?

A signature has to be written for something that snort would pickup..
if the logins all look the same, from a tcp standpoint, then there's
no way to write a signature for that. At least not that I know.

Y M

unread,
May 12, 2013, 1:02:16 AM5/12/13
to
My understanding of Hydra is that it attempts to brute force the SSH password using password lists/dictionaries. In this case, a rule might be helpful in detecting SSH brute forces which rule sid: 19559. May be not specifically tailored to detect Hydra, but can help in detecting brute forces.

Try enabling this rule, and the conduct your Hydra test again, and see what happens.


Date: Sat, 11 May 2013 22:27:04 +0200
From: ball...@gmail.com
To: snort...@lists.sourceforge.net
Subject: Re: [Snort-users] ssh cracking
0 new messages