- 22日08時頃から23日16時
- 295の機械からの1592回の分散総当り攻撃,1時間当り30IPが同数程度攻撃する.
- バナーは全てSSH-2.0-libssh-0.2
- クライアントバナーSSH-2.0-libssh-0.1を検出するsnortルール
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"Possible SSH brute force attempt"; \
flow:to_server,established; \
threshold:type threshold, track by_src, count 5, seconds 60; \
content:"SSH-2.0-libssh-0.1"; offset: 0; depth: 18;)
- OSは不明なもの以外Linux2.4もしくは2.6
- リンク
- 攻撃回数の分布,3回単位なのか3の倍数が多い.
| 攻撃回数 |
IP数 |
| 21 |
1 |
| 20 |
0 |
| 19 |
0 |
| 18 |
1 |
| 17 |
0 |
| 16 |
0 |
| 15 |
5 |
| 14 |
0 |
| 13 |
1 |
| 12 |
14 |
| 11 |
1 |
| 10 |
0 |
| 9 |
40 |
| 8 |
1 |
| 7 |
0 |
| 6 |
76 |
| 5 |
3 |
| 4 |
0 |
| 3 |
143 |
| 2 |
9 |
| 1 |
0 |
| 国名 |
IP数 |
| GERMANY |
40 |
| UNITED-STATES |
24 |
| BRAZIL |
18 |
| ITALY |
18 |
| FRANCE |
18 |
| POLAND |
17 |
| EUROPA |
16 |
| AUSTRIA |
12 |
| UNITED-KINGDOM |
10 |
| SPAIN |
9 |
| COLOMBIA |
8 |
| NETHERLANDS |
9 |
| CHINA |
6 |
| ARGENTINA |
6 |
| CZECH-REPUBLIC |
6 |
| SWEDEN |
6 |
| SWITZERLAND |
6 |
| ROMANIA |
6 |
| RUSSIAN-FEDERATION |
6 |
| MEXICO |
5 |
| BELGIUM |
4 |
| UKRAINE |
4 |
| CANADA |
3 |
| FINLAND |
3 |
| SLOVAKIA |
2 |
| DENMARK |
2 |
| PERU |
2 |
| INDONESIA |
2 |
| AUSTRALIA |
2 |
| CHILE |
2 |
| JAPAN |
2 |
| ESTONIA |
2 |
| HUNGARY |
2 |
| VENEZUELA |
1 |
| LITHUANIA |
1 |
| SERBIA-AND-MONTENEGRO |
1 |
| ISRAEL |
1 |
| SRI-LANKA |
1 |
| BULGARIA |
1 |
| COSTA-RICA |
1 |
| BURKINA-FASO |
1 |
| COTE-DIVOIRE |
1 |
| INDIA |
1 |
| PANAMA |
1 |
| KOREA-REPUBLIC-OF |
1 |
| TURKEY |
1 |
| SOUTH-AFRICA |
1 |
| PHILIPPINES |
1 |
| PORTUGAL |
1 |
| THAILAND |
1 |
