Detecting http 'basic-auth' brute force

[soidberg () web de <soidberg () web de>]

Hi all,

I have installed snort 1.8.4-beta1 with acid on my test-machine and I 
want
snort to detect brute-force attacks that aim to get the http-basic-auth 
password
to a given url, say

http://192.168.123.45/secret/

I am running Debian Woody and snort and acid work well.
I use a programm called wwwhack [1] to attack my test-machine.
After about 50000 attempts snort keeps silent.

Are there any rules to catch this? I did not find any at snort.org. 
Also the
documentation does not seem to clearify this.

Any hint where to find this (and for similar protocolls like pop, imap,
smtp-auth, ftp etc.) will be appreciated as I think this is a common
attack against public servers (I wonder why snort from debian does not
include rules for this by default).

Thanks for your answers!

Sebastian

[1]  http://www.securityfocus.com/tools?platid=-1&cat=5&offset=60



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users