Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Kerberos login failure detection

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 15 Sep 2014 14:47:15 -0400
On 9/15/2014 10:28 AM, Sharif Uddin wrote:

Hello

I would like to set up an alert for this in my network. I have found the
following guide but the alert is not producing any results

http://foxtrot7security.blogspot.co.uk/2011/12/defeat-domain-user-spraying-brute_28.html

# ad login failed
alert tcp any 88 -> any any (msg:"Possible domain user spraying detected"; \
flow:established, to_client; \
content:"|05|"; offset:14; depth:15; \
content:"|1e|"; distance:4; within:1; \
content:"|18|"; distance:30; within:1; \
detection_filter:track by_dst, count 1, seconds 60; \
reference:url,foxtrot7security.blogspot.com/2011/12/defeat-domain-user-spraying-brute_28.html; \
classtype:attempted-user; \
sid:1000002; \
rev:0;)


firstly, what version of snort are you using?

in think your problem is going to stem from the combined "offset", "depth", 
"distance" and "within" options... i say this because how they operate has 
changed in recent versions of snort as compared to that which was available back 
in December of 2011... the rule might work with the use of one of the "raw*" 
modifiers or a slightly different manner of specifying where the data is to be 
found in the buffer it is contained in... hopefully this helps point you in the 
right direction ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: