Snort mailing list archives
Re: Brute force attacks
From: Jose Maria Lopez <jkerouac () bgsec com>
Date: 17 Jan 2005 14:15:15 +0100
El dom, 16 de 01 de 2005 a las 01:15, James Riden escribió:
David Jiménez Domínguez <djdsecurity () gmail com> writes:Hi list!!!! Somebody could help me.... How do I configure snort (2.2.0 or 2.3) in order to detect brute force attacks against services like ssh, telnet or mysql???There is an example rule at http://www.bleedingsnort.com/ to detect brute-force SSH attacks. Telnet and mysql will be similar. from rules/bleeding-scan.rules: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE Potential SSH Scan"; flags:S; threshold:type threshold, track by_src, count 5, seconds 120; flowbits:set,ssh.brute.attempt; classtype:attempted-dos; sid:2001219; rev:8;) However, this would be better done on the servers, eg. with logwatch, rather than on a Network Intrusion Detection System, and better still is to force strong passwords that it's not feasible to guess by brute force. cheers, Jamie
This probably will work if the attack it's very quick and the hacker very anxious to get his objective, but if he's patient and does a very relaxed attack, with less dictionary attacks than the threshold of the rule then it's useless. It's better the logwatch solution or forcing strong passwords for the users, as you say. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Brute force attacks David Jiménez Domínguez (Jan 15)
- Re: Brute force attacks Jose Maria Lopez (Jan 15)
- Re: Brute force attacks James Riden (Jan 15)
- Re: Brute force attacks Jose Maria Lopez (Jan 17)
- ISS vs Snort Theodore Stout (Jan 17)
- Re: Brute force attacks Jose Maria Lopez (Jan 17)