Snort mailing list archives
Threshold settings
From: Jeff Kell <jeff-kell () utc edu>
Date: Wed, 31 Dec 2003 15:17:28 -0500
The "current" rules for 2.1.0 have, among other things, signatures 2273 and 2274 warning of "brute force login attempts" at IMAP and POP3. The rules contain the threshold directives:
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2273; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2274; rev:1;)
Two questions (posed to the snort-sigs list, but not strictly sig-related additions here):
(1) Do you have to make entries in threshold.conf for these SIDs? In the supplied threshold.conf there are no active directives, only comments. In other words, doesn't defining the thresholds within the SID going to set the threshold settings, or do you have to duplicate them in threshold.conf as well?
(2) Both rules are tracking by_dst. Our central POP/IMAP servers are logging lots of these sigs (lots of people logging in or periodically checking for new mail). Shouldn't they be tracking by_src instead?
Jeff ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Threshold settings Jeff Kell (Dec 31)