Snort mailing list archives
Re: FTP brute Force attack
From: waldo kitty <wkitty42 () windstream net>
Date: Thu, 13 Jun 2013 12:28:55 -0400
On 6/13/2013 07:33, sumitkamboj88 () gmail com wrote:
Hello everyone i am using below rule to detect ftp brute force attack. alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt"; flow:from_server,established; content:"530 "; pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; threshold: type threshold, track by_dst, count 5, seconds 60; sid:2002383; rev:10;) it is working properly.but when i check generated log file using u2spewfoo it shows source of attack as destination and destination of attack as a source(means it shows attacker as a target).i also know why it is happening because "530 login incorrect" message generated by FTP server. I just want to know there is any way so that i got a generated log which shows actual source and destination of attack.
no, not with snort or most snort related tools... the rule is reporting accurately, though... what we have done, in an auto-response tool, is to adjust the message to add "BLOCKING DESTINATION"... the code in the tool detects that additional text in the MSG and flips the source and destination entries internally for all further processing... the snort log still reports them "backwards" but the auto-responder reports the blocked site as the "source" of the apparent attack... we've just had to train out folks to see them backwards in the same way as the auto-responder when they see the additional text in the MSG... -- NOTE: No off-list assistance is given without prior approval. Please keep mailing list traffic on the list unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- FTP brute Force attack sumitkamboj88 () gmail com (Jun 13)
- Re: FTP brute Force attack Lay, James (Jun 13)
- Re: FTP brute Force attack waldo kitty (Jun 13)