Snort mailing list archives
Detecting Hydra tool - FTP attack
From: Marcio Guerreiro <marcio.guerreiro () hotmail co uk>
Date: Fri, 3 Jul 2015 10:07:48 +0100
Hi all I am trying to figure out how to detect a number of attempts (4 - 100) of password guessing without trigger the normal login of the user. For example if I use one computer to deploy the command root@golias:~# hydra -t 1 -l mark -P passwords.txt -Vv 192.168.1.77 ftp and the rule to detect I would be able to capture the malicious activity, but I would also capture the user mark logging in the system. For me it is obvious that if I check my log and see 10 alerts it is suspicious and I would investigate. If I see just one alert, I would assume that the user mark has logged normally. The question is. does anybody knows if there any keyword that would detect consecutive attempts rather than just one or two ? Thank you Marcio
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detecting Hydra tool - FTP attack Marcio Guerreiro (Jul 03)
- Re: Detecting Hydra tool - FTP attack Al Lewis (allewi) (Jul 03)