Snort mailing list archives
Re: Fwd: Failed FTP login signature
From: Daniel Cid <danielcid () yahoo com br>
Date: Mon, 28 May 2007 11:51:45 -0300 (ART)
Hi Christopher, That's what I would call using the right tool for the wrong reasons (or something like that). The provided sshd signature does not detect brute force attacks, but multiple connections from the same source ip (failed or not). The HTTP signature can easily generate false positivies since you are just looking for the content "404", and it would not work with SSL... My point is: why not use log analysis to detect failed logins (and brute force attacks)? Both sshd, apache, apache-ssl, ftp, telnet, etc ,etc log every failed login attempt (and every successful login attempt)? By using log analysis you can reliably detect every failure and you don't need to worry about encrypted traffic. Plus, you can do more useful stuff, like detecting multiple failed login attempts followed by a success (successful brute force attack) and monitoring every successful login to your systems. I wrote a paper while back with some patterns that we can look in authentication logs: http://www.ossec.net/en/loganalysis.html And if you are looking for an open source tool to monitor all your logs (from Apache to sshd, proftpd, Windows logs, etc, etc), with the ability to execute active responses based on them (blocking ips, disabling users, etc), you can try ossec*: http://www.ossec.net http://www.ossec.net/wiki/index.php/FAQ *note that I am the author of this tool. hope it helps. -- Daniel B. Cid dcid ( at ) ossec.net --- Christopher <christopher () dorkfire com> escreveu:
Just in case anyone else finds this useful:
The SSH, and FTP rules were taken from the bleeding
snort rules.
They've been modified for use with snortsam. These
have been working
great for us. The thresholds are what make these
work great. With
snortsam, we can add DROP rules for everything from
that IP address
to our firewall.
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 ( msg:
"BLOCKED
Potential SSH Scan"; \
priority:1; \
flags: S; flowbits: \
set,ssh.brute.attempt; \
threshold: type
threshold, track by_src, count 15, seconds 300; \
classtype: attempted-recon; \
reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/;
\ sid: 1000000; rev:13; fwsam: src, 30 days;) alert tcp $DMZ_NET 80 -> $EXTERNAL_NET any ( msg: "BLOCKED Excessive HTTP 404 - Possible vulnerability scan"; \ priority:1; classtype: attempted-recon; \ flow:established,from_server; \ threshold: type threshold, track by_dst, count 30, seconds 300; \ fwsam: dst, 30 days; \ sid:1000001; rev:1; \ content:"404"; nocase;) alert tcp $HOME_NET 21 -> $EXTERNAL_NET any ( msg:"BLOCKED Potential FTP Brute-Force attempt"; \ flow:from_server,established; \ content:"530 "; pcre:"/^530\s+(Login|User|Failed)/smi"; \ classtype:unsuccessful-user; \ threshold: type threshold, track by_dst, count 15, seconds 300; \ sid:1000002; rev:1; \ fwsam: dst, 30 days;) On 5/23/07, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:In an attempt to possible thwart attacks prior toarriving a the desktop, weare looking for a signature that would alert us asto when someone is tryingto FTP or SSH into a system on our network. I amthinking that if someonehas typed in 5 or 6 passwords and has notconnected, then they certainly donot have a need to be there. Does anyone out there have a signature for thistype of incident?We would probably be looking at Telnet, SSH, FTPand possible HTTP.Thanks Dwane Dwane Atkins 210-567-0158
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2express and takecontrol of your XML. No limits. Just data. Clickto get it now.http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options orunsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
__________________________________________________ Fale com seus amigos de graça com o novo Yahoo! Messenger http://br.messenger.yahoo.com/ ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Failed FTP login signature Atkins, Dwane P (May 23)
- Message not available
- Fwd: Failed FTP login signature Christopher (May 23)
- Re: Fwd: Failed FTP login signature Daniel Cid (May 28)
- Fwd: Failed FTP login signature Christopher (May 23)
- Message not available