Re: Brute force attacks

[James Riden <j.riden () massey ac nz>]

David Jiménez Domínguez <djdsecurity () gmail com> writes:

> Hi list!!!!
>
>
> Somebody could help me.... How do I configure snort (2.2.0 or 2.3) in
> order to detect brute force attacks against services like ssh, telnet
> or mysql???

There is an example rule at http://www.bleedingsnort.com/ to detect
brute-force SSH attacks. Telnet and mysql will be similar.

from rules/bleeding-scan.rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"BLEEDING-EDGE
Potential SSH Scan"; flags:S; threshold:type threshold, track by_src,
count 5, seconds 120; flowbits:set,ssh.brute.attempt;
classtype:attempted-dos; sid:2001219; rev:8;)

However, this would be better done on the servers, eg. with logwatch,
rather than on a Network Intrusion Detection System, and better still
is to force strong passwords that it's not feasible to guess by brute
force.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users