Question about SSH SCAN rule

noob_17 · November 16, 2022, 12:09pm

Hello,

I get a lot of alerts with this rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"ET SCAN Potential SSH Scan"; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; reference:url,doc.emergingthreats.net/2001219; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

This rule is supposed to generate an alert if it detects 5 or more SSH scans in 120 seconds. In my analysis, i noticed that, in this particular example, some external address is generating traffic to one internal IP:

We can see that the traffic is composed of 14 packets is is enough to generate the alert. But, when i check the alert info it shows this (only 1 packet):

ssh_scan_2

How can i explain this behaviour?

Thanks in advance

IDSTower · November 16, 2022, 7:11pm

Suricata threashold in your rule track this rule by source ip, and it basically count the flows not the packets.

Once the flows number is reached, it alerts on the flow that passed the threshold, probably on the first packets (depending on how protocol is detected), thats why you see only the numbers related to latest flow (the one that triggered the threshold)

Topic		Replies	Views
Can not get SSH alert	7	210	November 27, 2023
Help understanding UDP flows and alerting Rules rules , suricata	6	1290	June 30, 2022
Count flows in the rule Rules suricata	1	333	January 2, 2023
Track number of accessed hosts outbound Rules	1	323	June 4, 2022
Alert on bytes_toserver > N or pkts_toserver > N Rules	15	2028	July 6, 2020

Question about SSH SCAN rule

Related Topics