Snort mailing list archives
Re: Trouble in triggering the snort rule to detect FTP Brute Force attack
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Mon, 12 Apr 2010 08:53:40 -0500
Hi, this is L0rd Ch0de1m0rt. The Emerging Threats community (a snort-based friendly and helpful group of people) has a similar looking FTP brute-force rule: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established; dsize:<100; content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; threshold: type threshold, track by_dst, count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force; sid:2002383; rev:11;) This alerts on 5 failed logins within 300 seconds so tweak it as necessary to do the needful in your environment. If you only want to alert on 'administrator' login attempts, I suggest you investigate using flowbits since the attempted username and corresponding failed login message will be in different packets. Hope this helps. Cheers. -L0rd Ch0de1m0rt On Mon, Apr 12, 2010 at 5:07 AM, manjushree ks <manjushree.ks () hotmail com> wrote:
Hi, This is Manju writing in to request any suggestions on the below snort rule, Rule that will detect more than 3 unsuccessful login attempts on a FTP server within a minute with username administrator or Administrator or ADMINISTRATOR. The Hacker is trying to login with the username administrator or Administrator orADMINISTRATOR. Below is the rule that I have been trying out, alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Potential Brute Force Attack"; flow:to_server,established;content:"530 ";depth:4;pcre:"/530\s+(Login|User|Failed|Not|Logged|In)/smi";content:"Administrator"; nocase;threshold:type threshold, track by_src, count 3,seconds 60; classtype:suspicious-login; sid:3000002;) I have tried to login into a FTP server and below are the results, ****************************************** root@ubuntu:~# ftp ftp.microsoft.com Connected to ftp.microsoft.akadns.net. 220 Microsoft FTP Service Name (ftp.microsoft.com:manjushree): administrator 331 Password required for administrator. Password: 530 User cannot log in. Login failed. Remote system type is Windows_NT. ftp> user administrator 331 Password required for administrator. Password: 530 User cannot log in. Login failed. ftp> user administrator 331 Password required for administrator. Password: 530 User cannot log in. Login failed. ************************************************ But I dont have alerts being triggerd. Could anyone please let me know where am I going wrong? Thanks! Manju ------------------------------------------------------------------------------ Download IntelĀ® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Trouble in triggering the snort rule to detect FTP Brute Force attack manjushree ks (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Eoin Miller (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Nigel Houghton (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack evilghost () packetmail net (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Joel Esler (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack evilghost () packetmail net (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack CunningPike (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack evilghost () packetmail net (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Nigel Houghton (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Eoin Miller (Apr 12)