RE: How to block a brut force attack?

[Anthony Geoffron <anthonyg () passinglane com>]

I was wondering if snort actually was able to detect it.
It seems like not based on the way this detection pattern has been done.
no?


-----Original Message-----
From: Robert van der Meulen [mailto:rvdm () cistron nl]
Sent: Tuesday, August 07, 2001 5:06 PM
To: Ramin Alidousti
Cc: Anthony Geoffron; snort-users () lists sourceforge net
Subject: Re: [Snort-users] How to block a brut force attack?



Quoting Ramin Alidousti (ramin () cannon eng us uu net):
> Rate limiting, if your fw supports it.
Bad idea; your firewall'd have to rate-limit at a content-level, as
requesting lots of files/images at the same time is not the same as
hammering on a password validation form, but looks almost the same when you
look at the traffic on a lower (TCP/IP instead of HTTP) level.
Same goes for users behind proxies, NAT networks, etc etc.

If this would've been a console-ish application, the tip would be 'make sure
authentication requests are handled more slow, so the hammering person is
discouraged'; you can do something like that in a web-based app as well,
although it's more work.

anyways, this doesn't seem like a question for the snort mailing list; maybe
you're better off on the 'secure programming' list on securityfocus ?

Greets,
        Robert 
-- 
                              Linux Generation
   encrypted mail preferred. finger rvdm () debian org for my GnuPG/PGP key.
   Nine out of ten men who preferred Camels have switched back to women.

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users