Snort mailing list archives
Fwd: Failed FTP login signature
From: Christopher <christopher () dorkfire com>
Date: Wed, 23 May 2007 10:28:22 -0400
Just in case anyone else finds this useful:
The SSH, and FTP rules were taken from the bleeding snort rules.
They've been modified for use with snortsam. These have been working
great for us. The thresholds are what make these work great. With
snortsam, we can add DROP rules for everything from that IP address
to our firewall.
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 ( msg: "BLOCKED
Potential SSH Scan"; \
priority:1; \
flags: S; flowbits: \
set,ssh.brute.attempt; \
threshold: type
threshold, track by_src, count 15, seconds 300; \
classtype: attempted-recon; \
reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/;
\
sid: 1000000; rev:13;
fwsam: src, 30 days;)
alert tcp $DMZ_NET 80 -> $EXTERNAL_NET any ( msg: "BLOCKED
Excessive HTTP 404 - Possible vulnerability scan"; \
priority:1; classtype:
attempted-recon; \
flow:established,from_server; \
threshold: type
threshold, track by_dst, count 30, seconds 300; \
fwsam: dst, 30 days; \
sid:1000001; rev:1; \
content:"404"; nocase;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any ( msg:"BLOCKED Potential
FTP Brute-Force attempt"; \
flow:from_server,established; \
content:"530 ";
pcre:"/^530\s+(Login|User|Failed)/smi"; \
classtype:unsuccessful-user; \
threshold: type
threshold, track by_dst, count 15, seconds 300; \
sid:1000002; rev:1; \
fwsam: dst, 30 days;)
On 5/23/07, Atkins, Dwane P <ATKINSD () uthscsa edu> wrote:
In an attempt to possible thwart attacks prior to arriving a the desktop, we are looking for a signature that would alert us as to when someone is trying to FTP or SSH into a system on our network. I am thinking that if someone has typed in 5 or 6 passwords and has not connected, then they certainly do not have a need to be there. Does anyone out there have a signature for this type of incident? We would probably be looking at Telnet, SSH, FTP and possible HTTP. Thanks Dwane Dwane Atkins 210-567-0158 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Failed FTP login signature Atkins, Dwane P (May 23)
- Message not available
- Fwd: Failed FTP login signature Christopher (May 23)
- Re: Fwd: Failed FTP login signature Daniel Cid (May 28)
- Fwd: Failed FTP login signature Christopher (May 23)
- Message not available