Looking for a ssh password fail attempt in a wireshark capture


Our IPS is picking up a brute force attempt from a server in our environement. Server admins are in denial that pw is failing, but acknowledge there is a lot of logins. I took a capture of the ssh traffic from the server. I see a few ssh sessions taking place, then eventually the IPS blocks the attempts and I get 3 initial SYN packets outbound when the IPS blocks the ip address of server.

What would I look for in the capture of the inital connections that appear to connect and close to show me there is a password failure?

I see the 3 way handshake, the key exchanges the diffie hellman exchange several encrypted packets and the FIN/ACK sequences. What in this capture would the IPS trigger on to know there is failed attempt. Is there some telltale info in a header?

So far I am not getting good info from IPS team on what the signature is triggering upon, but I have to assume for now its seening an actual brute force attempt. Perhaps its the number of new sessions and not actual failures. If there is no known way to detect a pw fail in an capture, the excessive creation and tear down may be the cause.

Once this ips block occurs, the ips blocks all traffic to / from server and its offline for legitimate uses.

I googled a bit for wireshark ssh password failures but get a lot of stuff not fitting the scnenario. Figured someone here could help point me in right direction to look.


once the IPS blocks here is what it looks like

all traffic from ip is blocked going outbound and server is down.


did some side research on the IPS. I found some information that the IPS considers 20 sessions in 60 seconds a brute force attempt…even if they sessions are successfully passworded…so the capture does show a boatload of session creation and tear down. This may be the application doing the traffic is using a correct password, but is doing way too many new logins for the IPS to not notice. Passing my informaion in both directions (IPS guys and Admin guys) on this one.

if anyone does know of a way to confirm if the password fails let me know. Thanks.