Home page logo

snort logo Snort mailing list archives

Re: FTP brute Force attack
From: "Lay, James" <james.lay () wincofoods com>
Date: Thu, 13 Jun 2013 08:30:55 -0600



This rule is firing on the response FROM your server
(flow:from_server,established, so the "source" is going to be your
server, the destination is going to be the host that is trying to brute
force your server.  Hope that helps.




From: sumitkamboj88 () gmail com [mailto:sumitkamboj88 () gmail com] 
Sent: Thursday, June 13, 2013 5:34 AM
To: snort-sigs () lists sourceforge net
Subject: [Snort-sigs] FTP brute Force attack


Hello everyone 

i am using below rule to detect ftp brute force attack. 


alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP
Brute-Force attempt"; 

flow:from_server,established; content:"530 ";
pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; 

threshold: type threshold, track by_dst, count 5, seconds 60;
sid:2002383; rev:10;)


it is working properly.but when i check generated log file using
u2spewfoo it shows source of attack as destination and destination of 

attack as a source(means it shows attacker as a target).i also know why
it is happening because "530 login incorrect" message generated by FTP

I just want to know there is any way so that i got a generated log which
shows actual source and destination of attack.


Warm Regards
Sumit Kumar
Guru Nanak Dev University, Amritsar
Mo:- 8968227299

This SF.net email is sponsored by Windows:

Build for Windows Store.

Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]