Snort mailing list archives

Re: Detecting Hydra tool - FTP attack

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 3 Jul 2015 12:04:15 +0000

Im not sure of a specific key word but you could alert on the number of FAILED login messages rather than the logins 
themselves.

There should be an example of this in the default ruleset.

Hope this helps.


Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi () cisco com

From: Marcio Guerreiro [mailto:marcio.guerreiro () hotmail co uk]
Sent: Friday, July 03, 2015 5:08 AM
To: 'snort-users'
Subject: [Snort-users] Detecting Hydra tool - FTP attack

Hi all

I am trying to figure out how to detect a number of attempts (4 - 100) of password guessing without trigger the normal 
login of the user.

For example if I use one computer to deploy the command

root@golias:~# hydra -t 1 -l mark -P passwords.txt -Vv 192.168.1.77 ftp

and the rule to detect

[cid:image001.png@01D0B566.D8A29650]

I would be able to capture the malicious activity, but I would also capture the user mark logging in the system. For me 
it is obvious that if I check my log  and see 10 alerts it is suspicious and I would investigate. If I see just one 
alert, I would assume that the user mark has logged normally. The question is... does anybody knows if there any 
keyword that would detect consecutive attempts rather than just one  or two ?

[cid:image002.png@01D0B566.D8A29650]



Thank you

Marcio

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Detecting Hydra tool - FTP attack Marcio Guerreiro (Jul 03)
- Re: Detecting Hydra tool - FTP attack Al Lewis (allewi) (Jul 03)