Snort mailing list archives
Re: Detecting Hydra tool - FTP attack
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Fri, 3 Jul 2015 12:04:15 +0000
Im not sure of a specific key word but you could alert on the number of FAILED login messages rather than the logins themselves. There should be an example of this in the default ruleset. Hope this helps. Albert Lewis QA Software Engineer SOURCEfire, Inc. now part of Cisco 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Marcio Guerreiro [mailto:marcio.guerreiro () hotmail co uk] Sent: Friday, July 03, 2015 5:08 AM To: 'snort-users' Subject: [Snort-users] Detecting Hydra tool - FTP attack Hi all I am trying to figure out how to detect a number of attempts (4 - 100) of password guessing without trigger the normal login of the user. For example if I use one computer to deploy the command root@golias:~# hydra -t 1 -l mark -P passwords.txt -Vv 192.168.1.77 ftp and the rule to detect [cid:image001.png@01D0B566.D8A29650] I would be able to capture the malicious activity, but I would also capture the user mark logging in the system. For me it is obvious that if I check my log and see 10 alerts it is suspicious and I would investigate. If I see just one alert, I would assume that the user mark has logged normally. The question is... does anybody knows if there any keyword that would detect consecutive attempts rather than just one or two ? [cid:image002.png@01D0B566.D8A29650] Thank you Marcio
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detecting Hydra tool - FTP attack Marcio Guerreiro (Jul 03)
- Re: Detecting Hydra tool - FTP attack Al Lewis (allewi) (Jul 03)