Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive

From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 25 Oct 2011 13:09:10 -0400
Actually, SCP'ing a large file won't cause this to trigger. SCP'ing a large
number of files might. Let me explain how it works.

The content match you're looking at here is the banner sent out by the
SSH/SCP/SFTP server when a connection is initiated. There really is no
indicator of a successful vs. failed login, because it's encrypted by then -
which is, of course, the point. In the case where you're transferring a
large file, you'll only get the banner once at the start of the file
transfer - when you first connect and exchange keys/login info. If you're
transferring a number of small files, you can do so in two ways: either in a
command line that globs them together and sends them through a single
transfer (the preferred method, since it's faster), which will only do one
key exchange and thus have one banner displayed. It's possible to do, say, a
shell loop that calls scp, and each time you'll get a login banner, and that
could trigger the rule. However, at that point you'll also probably
recognize the destination IP address seeing the banner, and tell your admins
to fix their scripts.

On Tue, Oct 25, 2011 at 11:10 AM, Thibaut PIRONNEAU <
thibaut.pironneau () clermont-universite fr> wrote:


Hello,
First sorry for my poor english.
Then, I use snort 2.9.1 since a while and I have a question about rule
number 19559 : BAD-TRAFFIC SSH brute force login attempt
I think this rule generate many false positive, and I can prove it :
I my company, we have a huge information system with many servers and
ssh servers, which are open to wan (behind a firewall)... I have ssh
brute force alert on this servers... But I filter ssh by IP on each
machine. At home or by using other external ADSL connection, I'm not
able to connect on my ssh server...

I think there are problems with the rules redaction :
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH brute
force login attempt"; flow:to_server,established; content:"SSH-";
depth:4; detection_filter:track by_src, count 5, seconds 60;
classtype:misc-activity; sid:19559; rev:1;)

I think, if I use ssh with scp with a huge file for example, this rules
catch an alert... Is there not an indication of login in the IP packet
during the connection phase?

Thanks for your patience and for your help.

Best Regards.
--
Thibaut PIRONNEAU


------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn
about Cisco certifications, training, and career opportunities.
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





-- 
Alex Kirk
AEGIS Program Lead
Sourcefire Vulnerability Research Team
+1-410-423-1937
alex.kirk () sourcefire com

------------------------------------------------------------------------------
The demand for IT networking professionals continues to grow, and the
demand for specialized networking skills is growing even more rapidly.
Take a complimentary Learning@Cisco Self-Assessment and learn 
about Cisco certifications, training, and career opportunities. 
http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: