On Fri, 3 Jun 2005 08:11:51 -0400 (EDT) dave@private wrote: > I'm working on a logsurfer rule to notify me of an attack denoted by > 10 or more accesses from a single place trying passwords. I know the Dave, Sorry this isn't a direct answer to your question, but a crude brute force tool that I have that may be of interest is sshdict located here: <http://aharp.ittns.northwestern.edu/software/> I mention is partially to provide some additional insight as well. For example, I have noticed that many brute force attacks attempt less than 10 logins and this script will often catch them so I changed the report to use a scoring algorithm rather than just login attempts. I do plan on adding support for some ssh.com logs (my note in the script about it being harder I do not believe is actually the case the last time I looked) as well as some of the newer OpenSSH logs when I have a chance. Of course I welcome updates and feedback, or you can just take it and use it as you please. John _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Sat Jun 04 2005 - 01:41:11 PDT