Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: FTP brute Force attack

From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 13 Jun 2013 12:28:55 -0400
On 6/13/2013 07:33, sumitkamboj88 () gmail com wrote:

Hello everyone
i am using below rule to detect ftp brute force attack.
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt";

flow:from_server,established; content:"530
"; pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
threshold: type threshold, track by_dst, count 5, seconds 60; sid:2002383; rev:10;)

it is working properly.but when i check generated log file using u2spewfoo it
shows source of attack as destination and destination of
attack as a source(means it shows attacker as a target).i also know why it is
happening because "530 login incorrect" message generated by FTP server.
I just want to know there is any way so that i got a generated log which shows
actual source and destination of attack.


no, not with snort or most snort related tools... the rule is reporting 
accurately, though...

what we have done, in an auto-response tool, is to adjust the message to add 
"BLOCKING DESTINATION"... the code in the tool detects that additional text in 
the MSG and flips the source and destination entries internally for all further 
processing... the snort log still reports them "backwards" but the 
auto-responder reports the blocked site as the "source" of the apparent 
attack... we've just had to train out folks to see them backwards in the same 
way as the auto-responder when they see the additional text in the MSG...

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: