Detecting Hydra tool - FTP attack

[Marcio Guerreiro <marcio.guerreiro () hotmail co uk>]

Hi all

 

I am trying to figure out how to detect a number of attempts (4 - 100) of
password guessing without trigger the normal login of the user. 

 

For example if I use one computer to deploy the command 

 

root@golias:~# hydra -t 1 -l mark -P passwords.txt -Vv 192.168.1.77 ftp

 

and the rule to detect

 



 

I would be able to capture the malicious activity, but I would also capture
the user mark logging in the system. For me it is obvious that if I check my
log  and see 10 alerts it is suspicious and I would investigate. If I see
just one alert, I would assume that the user mark has logged normally. The
question is. does anybody knows if there any keyword that would detect
consecutive attempts rather than just one  or two ?

 



 

 

 

Thank you

 

Marcio

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!