Re: Rules to block FT

["Valter Santos" <vsantola () sectoid com>]

Hi all,

I think what Dwane is looking for is ftp brute force attempts against
his own ftp servers, so this should do it:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any

Responses from $HOME_NET 21 to external hosts... the full rule from
bleeding threats:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE SCAN
Potential FTP Brute-Force attempt"; flow:from_server,established;
content:"530 "; pcre:"/^530\s+(Login|User|Failed)/smi";
classtype:unsuccessful-user; threshold: type threshold, track by_dst,
count 5, seconds 120; sid:2002383; rev:4;)


take care
/valter




On 6/28/07, Joel Ebrahimi <jebrahimi () stillsecure com> wrote:
> Hi Dwane,
>
>  There is a problem with this rule. The content detection portion of the
> rule looks good, it looks for the 530 response from FTP for an incorrect
> login.
>  The problem lies within the rule header though (alert tcp $HOME_NET any ->
> $EXTERNAL_NET 21), this content that is being looked for is from the client
> to the server, where it is really the server that sends the 530 error code
> so by switching the direction your monitoring this pattern for you should be
> good to go (alert tcp $EXTERNAL_NET 21 ->  $HOME_NET any).
>
>  //Joel
>
>  StillSecure
>  Joel Ebrahimi
>  Senior Software Engineer
>
>
>  http://www.stillsecure.com/
>  The information transmitted is intended only for the person
>  to whom it is addressed and may contain confidential material.
>  Review or other use of this information by persons other than
>  the intended recipient is prohibited. If you've received
>  this in error, please contact the sender and delete
>  from any computer.
>
>
>
>
>  -----Original Message-----
>  From: snort-users-bounces () lists sourceforge net on behalf
> of Atkins, Dwane P
>  Sent: Wed 6/27/2007 9:18 AM
>  To: Snort-users () lists sourceforge net
>  Subject: [Snort-users] Rules to block FT
>
>  I have a testbed set up and have already alerted and blocked via
>  snortsam for SSH.  I am now working on FTP.
>
>
>
>  My rule:
>
>
>
>  alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (   msg:"BLOCKED Potential
>  FTP Brute-Force attempt";flow:from_server,established;
> content:"530 ";
> pcre:"/^530\s+(Login|User|Failed)/smi";classtype:unsuccessful-user;
>  threshold: type threshold, track by_dst, count 10, seconds 60;
>  sid:1000002; rev:1; fwsam: src, 5 minutes;)
>
>
>
>  Does this look like it will work? I am not that adept about building
>  rules and am learning.  This was from bleeding edge, I think.
>
>
>
>  Dwane
>
>
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users