Re: Rule Needed

[Phillip Lee <phillile () sourcefire com>]

Hey Beshoy,
In order to write a proper rule, you need to scope properly.  As Alex mentioned already, to alert against same source 
ip within low time frame, detection_filter is your friend.

Regarding your latest comment, if you don’t know username/password, nor the protocol, then you’re not left with a lot 
of context to distinguish between good and bad traffic.  Assuming as a defender, you’re protecting some application, 
then understand what application you’re protecting and the protocols used to send the password over.  If you’re trying 
to detect against a specific type of tool that runs the password spray, then understand that tool and try to figure out 
some defining characteristics of that tool.

Your original ask of ‘detect a password spray attack against any protocol against any web application’ is too broad to 
create generic coverage for without creating way too many false positives.
 
Regarding your fast_pattern question - check the following from the snort manual:
http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004522000000000000000

> On May 16, 2018, at 2:01 PM, Beshoy Atef via Snort-sigs <snort-sigs () lists snort org> wrote:
>
> Alex, Thank you for your reply,
>
> However both 1, 2 & 3 for the same event not different events, the problem is that during a pentest I would never 
> know what this password could be.
>
> The attack in general is named password spray attack. could be used on different protcols, ssh, rdp, rlogin and any 
> web application that can accept usernames and passwords, and so on.
> On Wednesday, May 16, 2018, 10:37:02 AM PDT, Alex McDonnell <amcdonnell () sourcefire com> wrote:
>
>
> You can do number 1 yourself using the detection_filter rule option. For number 2 you have the details of what that 
> is, but unless you know the password, you can't detect the same password being used over and over. 
>
> On Wed, May 16, 2018 at 1:28 PM, Beshoy Atef via Snort-sigs <snort-sigs () lists snort org <mailto:snort-sigs () 
> lists snort org>> wrote:
> Hello Snort Team,
>
> I have came across something that you might be able to help me in,
>
> We had a pen testing project, and we had a recommendations of applying rule to detect password sprays,
>
> What happened is that the pen tester was able to run a script that send multiple sessions to login to multiple 
> machines using the different usernames but with the same password, till he was able to login.
>
> I need a rule that can detect the following:
>
> 1) If multiple login sessions was initiated from the same machine -same source ip-  within low time frame.
> 2) It was using different usernames but all used the same password.
> 3) It was not destined to one machine that is why this ip was not locked out.
>
> I would appreciate if you can guide me to get this rule implemented.
>
> Thanks again.
> Beshoy
>
> ______________________________ _________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org <mailto:Snort-sigs () lists snort org>
> https://lists.snort.org/ mailman/listinfo/snort-sigs <https://lists.snort.org/mailman/listinfo/snort-sigs>
>
> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette 
> <https://snort.org/faq/what-is-the-mailing-list-etiquette>
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/# rule-downloads <https://snort.org/downloads/#rule-downloads>">emerging 
> threats</a>!
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists snort org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
> href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!