Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FTP brute Force attack

From: "sumitkamboj88 () gmail com" <sumitkamboj88 () gmail com>
Date: Thu, 13 Jun 2013 17:03:31 +0530
Hello everyone
i am using below rule to detect ftp brute force attack.

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential
FTP Brute-Force attempt";
flow:from_server,established; content:"530 ";
pcre:"/530\s+(Login|User|Failed|Not)/smi";
classtype:unsuccessful-user;
threshold: type threshold, track by_dst, count 5, seconds
60; sid:2002383; rev:10;)

it is working properly.but when i check generated log file using u2spewfoo
it shows source of attack as destination and destination of
attack as a source(means it shows attacker as a target).i also know why it
is happening because "530 login incorrect" message generated by FTP server.
I just want to know there is any way so that i got a generated log which
shows actual source and destination of attack.
-- 

Warm Regards
Sumit Kumar
Guru Nanak Dev University, Amritsar
Mo:- 8968227299

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: