Snort mailing list archives
Re: Brute force attacks
From: James Riden <j.riden () massey ac nz>
Date: Sun, 16 Jan 2005 13:15:51 +1300
David Jiménez Domínguez <djdsecurity () gmail com> writes:
Hi list!!!! Somebody could help me.... How do I configure snort (2.2.0 or 2.3) in order to detect brute force attacks against services like ssh, telnet or mysql???
There is an example rule at http://www.bleedingsnort.com/ to detect brute-force SSH attacks. Telnet and mysql will be similar. from rules/bleeding-scan.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; sid:2001219; rev:8;) However, this would be better done on the servers, eg. with logwatch, rather than on a Network Intrusion Detection System, and better still is to force strong passwords that it's not feasible to guess by brute force. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Brute force attacks David Jiménez Domínguez (Jan 15)
- Re: Brute force attacks Jose Maria Lopez (Jan 15)
- Re: Brute force attacks James Riden (Jan 15)
- Re: Brute force attacks Jose Maria Lopez (Jan 17)
- ISS vs Snort Theodore Stout (Jan 17)
- Re: Brute force attacks Jose Maria Lopez (Jan 17)