Snort mailing list archives
Re: Detecting http 'basic-auth' brute force
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Wed, 24 Mar 2004 11:33:05 +1200
On Tue, Mar 23, 2004 at 02:04:07PM -0600, Josh Berry wrote:
There is no way to do this with single pattern matching rules and no threshholding. The version of Snort you are using does not support threshholding, you need to upgrade to Snort 2.0.6 or newer in order to do this, then you can add a rule to track the source address trying to login for more than X amount of failed attempts.
Indeed. In fact, snort-2.1.1 with thresholds should be quite good at seeing such things! As long as the threshold is set high enough (a web page with 5 images could conceivably cause 6 auth failures the first time you connect - so you'd want the threshold to be higher - say 20/sec). A good browser shouldn't do that - but I can't vouch for IE ;-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting http 'basic-auth' brute force soidberg (Mar 23)
- Re: Detecting http 'basic-auth' brute force Josh Berry (Mar 23)
- Re: Detecting http 'basic-auth' brute force Jason Haar (Mar 23)
- Re: Detecting http 'basic-auth' brute force Josh Berry (Mar 23)