Snort mailing list archives
Re: Alert not detected once
From: Daniel Cid <danielcid () yahoo com br>
Date: Sat, 13 May 2006 11:35:11 -0300 (ART)
Hi Joao, I think you are trying to use the wrong tool for that. Snort do not have access to the content of the ssh messages, so you don't know what is going on there (if the login failed, succeeded, etc). In addition to that, in just one session (or just one Syn), a user may attempt 2 or 3 or more passwords (depending on the sshd server config). I really recommend you to use a log analysis tool to solve this kind of problem. You will be able to see the server response, the user name tried and exactly the number of attempts. I have been using ossec hids (I'm one of the developers) for that and it is working great. In addition to that, most of the people don't know, but ossec can analyse snort logs and execute actions based on them in a "safe" manner. For example, you can configure it to block an IP if we see 5 snort alerts within 1 minute for that IP (or if we see an alert from a specific category, etc). It avoids false-positives and make the active response much more reliable... *Example of alert from ossec on multiple ssh failed logins (it will mail and administrator and block the IP): " OSSEC HIDS Notification. 2006 May 11 21:17:07 Received From: /var/log/messages Rule: 1512 fired (level 10) -> "SSHD brute force trying to get access to the system.'" Portion of the log(s): sshd[9370]: Failed password for invalid user admin from 200.30.175.162 port 58257 ssh2 sshd[9370]: Invalid user admin from 200.30.175.162 sshd[9368]: Failed password for invalid user fluffy from 200.30.175.162 port 58212 ssh2 sshd[9368]: Invalid user fluffy from 200.30.175.162 sshd[9366]: Failed password for invalid user slasher from 200.30.175.162 port 58109 ssh2 sshd[9366]: Invalid user slasher from 200.30.175.162 sshd[9364]: Failed password for invalid user sifak from 200.30.175.162 port 58030 ssh2 " Sorry if I changed the subject too much :) Thanks, -- Daniel B. Cid dcid @ ( at ) ossec.net
Hello snorters, A strange thing happened in my snort box. I'm only using snort to block ssh brute force attacks. I'm using it with snortsam and, because I couldn't patch the current snort version, I'm using the one already patched avaible at the snortsam web site (v 2.4.3 Build 26). Everything was working great (26 sucessfull blocks) until yesterday when a brute force attack was missed (doesn't show in the snort logs). The system logs showed over 70 login failures in less than 10 minutes and I have a threshold of 5 SYN packets to the port
22 >per minute. The
rule: alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; threshold: type threshold, track by_src, count 5, seconds 60; sid: 2001219; rev:12; fwsam: src[either],5min; ) Another attack after that one was still detected.
Does >anyone have a
clue why did this happened? Was there a bugfix
related >to this in more
recente snort releases? Thanks - -- João Mota <joao () 3gnt net> 3GNTW - Tecnologias de Informação, Lda sip: joao () 3gnt net jid: joao () jabber 3gnt org
_______________________________________________________ Navegue com o Yahoo! Acesso Grátis, assista aos jogos do Brasil na Copa e ganhe prêmios de hora em hora! http://br.yahoo.com/artilheirodacopa/ ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Alert not detected once João Mota (May 11)
- <Possible follow-ups>
- Re: Alert not detected once Daniel Cid (May 16)
- Re: Alert not detected once Daniel Cid (May 16)