Snort mailing list archives

Re: Rule Needed

From: Beshoy Atef via Snort-sigs <snort-sigs () lists snort org>
Date: Wed, 16 May 2018 18:01:14 +0000 (UTC)

 Alex, Thank you for your reply,

However both 1, 2 & 3 for the same event not different events, the problem is that during a pentest I would never know 
what this password could be.
The attack in general is named password spray attack. could be used on different protcols, ssh, rdp, rlogin and any web 
application that can accept usernames and passwords, and so on.    On Wednesday, May 16, 2018, 10:37:02 AM PDT, Alex 
McDonnell <amcdonnell () sourcefire com> wrote:  
 
 You can do number 1 yourself using the detection_filter rule option. For number 2 you have the details of what that 
is, but unless you know the password, you can't detect the same password being used over and over. 
On Wed, May 16, 2018 at 1:28 PM, Beshoy Atef via Snort-sigs <snort-sigs () lists snort org> wrote:

Hello Snort Team,

I have came across something that you might be able to help me in,

We had a pen testing project, and we had a recommendations of applying rule to detect password sprays,

What happened is that the pen tester was able to run a script that send multiple sessions to login to multiple machines 
using the different usernames but with the same password, till he was able to login.

I need a rule that can detect the following:
1) If multiple login sessions was initiated from the same machine -same source ip-  within low time frame.2) It was 
using different usernames but all used the same password.3) It was not destined to one machine that is why this ip was 
not locked out.

I would appreciate if you can guide me to get this rule implemented.

Thanks again.
Beshoy
______________________________ _________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/ mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/# rule-downloads">emerging threats</a>!

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Rule Needed Beshoy Atef via Snort-sigs (May 16)
- Re: Rule Needed Alex McDonnell (May 16)
  - Re: Rule Needed Beshoy Atef via Snort-sigs (May 16)
  - Re: Rule Needed Beshoy Atef via Snort-sigs (May 16)
    - Re: Rule Needed Phillip Lee (May 16)
    - Re: Rule Needed Beshoy Atef via Snort-sigs (May 17)