Re: Alert not detected once

[Daniel Cid <danielcid () yahoo com br>]

Hi Joao,

I think you are trying to use the wrong tool for that.
Snort do not have access to the content of the ssh
messages, so you don't know what is going on there
(if the login failed, succeeded, etc).
In addition to that, in just one session (or just one
Syn), a user may attempt 2 or 3 or more passwords
(depending on the sshd server config).

I really recommend you to use a log analysis tool
to solve this kind of problem. You will be able to
see the server response, the user name tried and
exactly the number of attempts. I have been using
ossec hids (I'm one of the developers) for that and 
it is working great. 

In addition to that, most of the people don't know,
but ossec can analyse snort logs and execute actions
based on them in a "safe" manner. For example, you
can configure it to block an IP if we see 5 snort
alerts within 1 minute for that IP (or if we see an
alert from a specific category, etc). It avoids
false-positives and make the active response much
more reliable...

*Example of alert from ossec on multiple ssh failed
logins (it will mail and administrator and block the
IP):

"
OSSEC HIDS Notification.
2006 May 11 21:17:07

Received From: /var/log/messages
Rule: 1512 fired (level 10) -> "SSHD brute force
trying to get access to the system.'"
Portion of the log(s):

sshd[9370]: Failed password for invalid user admin
from 200.30.175.162 port 58257 ssh2
sshd[9370]: Invalid user admin from 200.30.175.162
sshd[9368]: Failed password for invalid user fluffy
from 200.30.175.162 port 58212 ssh2
sshd[9368]: Invalid user fluffy from 200.30.175.162
sshd[9366]: Failed password for invalid user slasher
from 200.30.175.162 port 58109 ssh2
sshd[9366]: Invalid user slasher from 200.30.175.162
sshd[9364]: Failed password for invalid user sifak
from 200.30.175.162 port 58030 ssh2
"

Sorry if I changed the subject too much :)

Thanks,

--
Daniel B. Cid
dcid @ ( at ) ossec.net


> Hello snorters,
>
> A strange thing happened in my snort box. I'm only
> using snort to
> block ssh brute force attacks. I'm using it with
> snortsam and, because
> I couldn't patch the current snort version, I'm using
> the one already
> patched avaible at the snortsam web site (v 2.4.3
> Build 26).
> Everything was working great (26 sucessfull blocks)
> until yesterday
> when a brute force attack was missed (doesn't show in
> the snort logs).
> The system logs showed over 70 login failures in less
> than 10 minutes
> and I have a threshold of 5 SYN packets to the port
22 >per minute. The
> rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:
> "BLEEDING-EDGE
> Potential SSH Scan"; flags: S; threshold: type
> threshold, track
> by_src, count 5, seconds 60; sid: 2001219; rev:12;
> fwsam:
> src[either],5min; )
>
> Another attack after that one was still detected.
Does >anyone have a
> clue why did this happened? Was there a bugfix
related >to this in more
> recente snort releases?
>
> Thanks
>
> - --
> João Mota <joao () 3gnt net>
> 3GNTW - Tecnologias de Informação, Lda
>
> sip: joao () 3gnt net
> jid: joao () jabber 3gnt org


                
_______________________________________________________ 
Navegue com o Yahoo! Acesso Grátis, assista aos jogos do Brasil na Copa e ganhe prêmios de hora em hora! 
http://br.yahoo.com/artilheirodacopa/


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users