Snort mailing list archives
Re: Detecting http 'basic-auth' brute force
From: "Josh Berry" <josh.berry () netschematics com>
Date: Tue, 23 Mar 2004 14:04:07 -0600 (CST)
There is no way to do this with single pattern matching rules and no threshholding. The version of Snort you are using does not support threshholding, you need to upgrade to Snort 2.0.6 or newer in order to do this, then you can add a rule to track the source address trying to login for more than X amount of failed attempts.
Hi all, I have installed snort 1.8.4-beta1 with acid on my test-machine and I want snort to detect brute-force attacks that aim to get the http-basic-auth password to a given url, say http://192.168.123.45/secret/ I am running Debian Woody and snort and acid work well. I use a programm called wwwhack [1] to attack my test-machine. After about 50000 attempts snort keeps silent. Are there any rules to catch this? I did not find any at snort.org. Also the documentation does not seem to clearify this. Any hint where to find this (and for similar protocolls like pop, imap, smtp-auth, ftp etc.) will be appreciated as I think this is a common attack against public servers (I wonder why snort from debian does not include rules for this by default). Thanks for your answers! Sebastian [1] http://www.securityfocus.com/tools?platid=-1&cat=5&offset=60 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting http 'basic-auth' brute force soidberg (Mar 23)
- Re: Detecting http 'basic-auth' brute force Josh Berry (Mar 23)
- Re: Detecting http 'basic-auth' brute force Jason Haar (Mar 23)
- Re: Detecting http 'basic-auth' brute force Josh Berry (Mar 23)