Snort mailing list archives
RE: Are there any rules out there to alert for a TH C-Hydra scan?
From: Steve Halligan <shalligan () 333tech com>
Date: Tue, 25 Mar 2003 09:47:16 -0600
I ran across a program from www.thehackerschoice.com (hydra) and am inquiring as to whether Snort will pick up any malicious activity from this password-cracking tool?
Brute forcing user/password combo's looks exactly like a user actually trying to log in, except with a huge increase in volume. Since Snort, at this point, does not have the ability to put thresholds into rules (ie. only alert if there a x rule matches in y time), the only way to alert on something like this, would be to alert on ALL failed user login attempts. What a fail user login attempt looks like, and therefore what the rule would look like, depends on your system/services/setup. ------------------------------------------------------- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Are there any rules out there to alert for a TH C-Hydra scan? SRH-Lists (Mar 25)
- <Possible follow-ups>
- RE: Are there any rules out there to alert for a TH C-Hydra scan? Steve Halligan (Mar 26)