Snort mailing list archives
Re: sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive
From: Alex Kirk <akirk () sourcefire com>
Date: Tue, 25 Oct 2011 13:09:10 -0400
Actually, SCP'ing a large file won't cause this to trigger. SCP'ing a large number of files might. Let me explain how it works. The content match you're looking at here is the banner sent out by the SSH/SCP/SFTP server when a connection is initiated. There really is no indicator of a successful vs. failed login, because it's encrypted by then - which is, of course, the point. In the case where you're transferring a large file, you'll only get the banner once at the start of the file transfer - when you first connect and exchange keys/login info. If you're transferring a number of small files, you can do so in two ways: either in a command line that globs them together and sends them through a single transfer (the preferred method, since it's faster), which will only do one key exchange and thus have one banner displayed. It's possible to do, say, a shell loop that calls scp, and each time you'll get a login banner, and that could trigger the rule. However, at that point you'll also probably recognize the destination IP address seeing the banner, and tell your admins to fix their scripts. On Tue, Oct 25, 2011 at 11:10 AM, Thibaut PIRONNEAU < thibaut.pironneau () clermont-universite fr> wrote:
Hello, First sorry for my poor english. Then, I use snort 2.9.1 since a while and I have a question about rule number 19559 : BAD-TRAFFIC SSH brute force login attempt I think this rule generate many false positive, and I can prove it : I my company, we have a huge information system with many servers and ssh servers, which are open to wan (behind a firewall)... I have ssh brute force alert on this servers... But I filter ssh by IP on each machine. At home or by using other external ADSL connection, I'm not able to connect on my ssh server... I think there are problems with the rules redaction : alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BAD-TRAFFIC SSH brute force login attempt"; flow:to_server,established; content:"SSH-"; depth:4; detection_filter:track by_src, count 5, seconds 60; classtype:misc-activity; sid:19559; rev:1;) I think, if I use ssh with scp with a huge file for example, this rules catch an alert... Is there not an indication of login in the IP packet during the connection phase? Thanks for your patience and for your help. Best Regards. -- Thibaut PIRONNEAU ------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Alex Kirk AEGIS Program Lead Sourcefire Vulnerability Research Team +1-410-423-1937 alex.kirk () sourcefire com
------------------------------------------------------------------------------ The demand for IT networking professionals continues to grow, and the demand for specialized networking skills is growing even more rapidly. Take a complimentary Learning@Cisco Self-Assessment and learn about Cisco certifications, training, and career opportunities. http://p.sf.net/sfu/cisco-dev2dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive Thibaut PIRONNEAU (Oct 25)
- Re: sid:19559 BAD-TRAFFIC SSH brute force login attempt False Positive Alex Kirk (Oct 25)