Snort mailing list archives
Mainframe FTP Failed Logins
From: paul stark <starkp () gmail com>
Date: Wed, 12 May 2010 13:54:32 -0400
I’m trying to write a rule that captures failed FTP logins to our mainframe. Unfortunately it appears that all of my attempts to date have not been successful. The issue appears to occur because for some reason snort does not see the 530 failed login code that is returned. The 220 status codes also do not appear to be detected. As you can see from the tcpdump below the user, pass and quit commands appear to be detected correctly but the lines with the 220 and 530 status codes do not appear to contain any readable ascii data. My question is has anyone seen this before or have any suggestions on how I might be able to get the 530 code to appear. I had been trying to model the rule after an emerging threats rule below: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCANPotential FTP Brute-Force attempt"; flow:from_server,established;dsize:<100;content:"530 ";depth:4;pcre:"/530\s+(PASS)/smi";threshold: type threshold, track by_dst, count 5, seconds 300; classtype:unsuccessful-user; sid:2002383; rev:11; reference:url,doc.emergingthreats.net/2002383; reference:url,<a href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force;)">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs…</a> Below is a sample failed FTP login attempt: Connected to x.×.×.x. 220-FTPD1 IBM FTP CS V1R10 at xxxxx, 10:09:44 on 2010-05-12. 220- 220-********************************************* 220-* ZOS TEST LPAR * 220-********************************************* 220- 220 Connection will close if idle for more than 5 minutes. User (x.×.×.x:(none)): abcd 331 Send password please. Password: 530 PASS command failed Login failed. ftp> quit 221 Quit command received. Goodbye. Below is a copy of the tcpdump output that I have been using to test the rule with using the following snort syntax: snort -r /root/debug.pcap -vX 05/12-10:08:25.280380 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23264 IpLen:20 DgmLen:48 DF ******S* Seq: 0×3E778E53 Ack: 0×0 Win: 0xFFFF TcpLen: 28 TCP Options (4) => MSS: 1460 NOP NOP SackOK 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 30 5A E0 40 00 7E 06 92 07 0A 8D B1 07 0A 83 .0Z.@.~……… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 53 00 00 00 00 70 02 I.>y..>w.S….p. 0×0030: FF FF 67 E6 00 00 02 04 05 B4 01 01 04 02 ..g……….. =====================================+ 05/12-10:08:25.281397 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23265 IpLen:20 DgmLen:40 DF ***A**** Seq: 0×3E778E54 Ack: 0xBC998A2 Win: 0xFFFF TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 28 5A E1 40 00 7E 06 92 0E 0A 8D B1 07 0A 83 .(Z.@.~……… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 98 A2 50 10 I.>y..>w.T….P. 0×0030: FF FF F0 2E 00 00 00 00 00 00 00 00 ………… =====================================+ 05/12-10:08:25.580050 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23266 IpLen:20 DgmLen:40 DF ***A**** Seq: 0×3E778E54 Ack: 0xBC998E5 Win: 0xFFBC TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 28 5A E2 40 00 7E 06 92 0D 0A 8D B1 07 0A 83 .(Z.@.~……… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 98 E5 50 10 I.>y..>w.T….P. 0×0030: FF BC F0 2E 00 00 00 00 00 00 00 00 ………… =====================================+ 05/12-10:08:25.881751 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23267 IpLen:20 DgmLen:40 DF ***A**** Seq: 0×3E778E54 Ack: 0xBC999C6 Win: 0xFEDB TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 28 5A E3 40 00 7E 06 92 0C 0A 8D B1 07 0A 83 .(Z.@.~……… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 99 C6 50 10 I.>y..>w.T….P. 0×0030: FE DB F0 2E 00 00 00 00 00 00 00 00 ………… =====================================+ 05/12-10:08:27.373728 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23715 IpLen:20 DgmLen:51 DF ***AP*** Seq: 0×3E778E54 Ack: 0xBC999C6 Win: 0xFEDB TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 33 5C A3 40 00 7E 06 90 41 0A 8D B1 07 0A 83 .3\.@.~..A…… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 99 C6 50 18 I.>y..>w.T….P. 0×0030: FE DB 64 A4 00 00 55 53 45 52 20 61 62 63 64 0D ..d…USER abcd. 0×0040: 0A . =====================================+ 05/12-10:08:27.591482 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23716 IpLen:20 DgmLen:40 DF ***A**** Seq: 0×3E778E5F Ack: 0xBC999E1 Win: 0xFEC0 TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 28 5C A4 40 00 7E 06 90 4B 0A 8D B1 07 0A 83 .(\.@.~..K…… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 5F 0B C9 99 E1 50 10 I.>y..>w._….P. 0×0030: FE C0 F0 23 00 00 00 00 00 00 00 00 …#…….. =====================================+ 05/12-10:08:27.869722 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23717 IpLen:20 DgmLen:50 DF ***AP*** Seq: 0×3E778E5F Ack: 0xBC999E1 Win: 0xFEC0 TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 32 5C A5 40 00 7E 06 90 40 0A 8D B1 07 0A 83 .2\..~..…… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 5F 0B C9 99 E1 50 18 I.>y..>w._….P. 0×0030: FE C0 ED 0E 00 00 50 41 53 53 20 31 32 33 0D 0A ……PASS123.. =====================================+ 05/12-10:08:27.993747 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23718 IpLen:20 DgmLen:40 DF ***A**** Seq: 0×3E778E69 Ack: 0xBC999FA Win: 0xFEA7 TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 28 5C A6 40 00 7E 06 90 49 0A 8D B1 07 0A 83 .(\.@.~..I…… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 69 0B C9 99 FA 50 10 I.>y..>w.i….P. 0×0030: FE A7 F0 19 00 00 00 00 00 00 00 00 ………… =====================================+ 05/12-10:08:28.749416 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23843 IpLen:20 DgmLen:46 DF ***AP*** Seq: 0×3E778E69 Ack: 0xBC999FA Win: 0xFEA7 TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 2E 5D 23 40 00 7E 06 8F C6 0A 8D B1 07 0A 83 ..]#@.~……… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 69 0B C9 99 FA 50 18 I.>y..>w.i….P. 0×0030: FE A7 48 58 00 00 51 55 49 54 0D 0A ..HX..QUIT.. =====================================+ 05/12-10:08:28.751212 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23844 IpLen:20 DgmLen:40 DF ***A**** Seq: 0×3E778E6F Ack: 0xBC99A20 Win: 0xFE82 TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 28 5D 24 40 00 7E 06 8F CB 0A 8D B1 07 0A 83 .(]$@.~……… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 6F 0B C9 9A 20 50 10 I.>y..>w.o… P. 0×0030: FE 82 F0 12 00 00 00 00 00 00 00 00 ………… =====================================+ 05/12-10:08:28.752409 x.×.×.x:15993 -> x.×.×.x:21 TCP TTL:126 TOS:0×0 ID:23845 IpLen:20 DgmLen:40 DF ***A***F Seq: 0×3E778E6F Ack: 0xBC99A20 Win: 0xFE82 TcpLen: 20 0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E. 0×0010: 00 28 5D 25 40 00 7E 06 8F CA 0A 8D B1 07 0A 83 .(]%@.~……… 0×0020: 49 C9 3E 79 00 15 3E 77 8E 6F 0B C9 9A 20 50 11 I.>y..>w.o… P. 0×0030: FE 82 F0 11 00 00 00 00 00 00 00 00 ………… ------------------------------------------------------------------------------ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Mainframe FTP Failed Logins paul stark (May 12)
- Re: Mainframe FTP Failed Logins evilghost () packetmail net (May 12)
- Re: Mainframe FTP Failed Logins Seth Art (May 12)
- Re: Mainframe FTP Failed Logins paul stark (May 13)
- Re: Mainframe FTP Failed Logins Seth Art (May 12)
- Re: Mainframe FTP Failed Logins evilghost () packetmail net (May 12)