HackMD - Collaborative Markdown Knowledge Base

**ssh suricate** ![](https://i.imgur.com/Bm7ECi3.jpg) добавляем правило ![](https://i.imgur.com/Wf1ZmQz.jpg) #ssh (port 5228=Google Talk, port 6697=IRC) alert tcp any any -> any 22 (msg:"LOCAL SSH connect"; flow:established,to_server; app-layer-protocol:ssh; sid:1000008; rev:1;) drop tcp any any -> any 22 (msg:"LOCAL not SSH but Port 22"; flow:established,to_server; app-layer-protocol:!ssh; sid:1000009; rev:1;) drop tcp any any -> any ![22,5228,6697] (msg:"LOCAL SSH but not Port 22"; flow:established,to_server; app-layer-protocol:ssh; sid:1000010; rev:1;) ![](https://i.imgur.com/AOJ5Qfe.jpg)