Re: Trouble in triggering the snort rule to detect FTP Brute Force attack

[Joel Esler <joel.esler () me com>]

It looks like your connection is going from your home network outbound, so if you have your variables defined, you 
might not get the result you were expecting. 

However, to troubleshoot, you can try setting your variables to "any", and try removing your threshold statements from 
the rule. See if it triggers without the thresholds then adjust from there. 

--
Sent from my iPad
AIM: eslerjoel

On Apr 12, 2010, at 6:07 AM, manjushree ks <manjushree.ks () hotmail com> wrote:

> Hi, 
>
> This is Manju writing in to request any suggestions on the below snort rule,
>
> Rule that will detect more than 3 unsuccessful login attempts on a FTP server within a minute with username 
> administrator or Administrator or ADMINISTRATOR. The Hacker is trying to login with the username administrator or 
> Administrator orADMINISTRATOR.
>
>
> Below is the rule that I have been trying out,
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Potential Brute Force Attack"; 
> flow:to_server,established;content:"530 
> ";depth:4;pcre:"/530\s+(Login|User|Failed|Not|Logged|In)/smi";content:"Administrator"; nocase;threshold:type 
> threshold, track by_src, count 3,seconds 60; classtype:suspicious-login; sid:3000002;)
>
> I have tried to login into a FTP server and below are the results,
>
> ******************************************
> root@ubuntu:~# ftp ftp.microsoft.com
> Connected to ftp.microsoft.akadns.net.
> 220 Microsoft FTP Service
> Name (ftp.microsoft.com:manjushree): administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> Remote system type is Windows_NT.
> ftp> user administrator
> 331 Password required for administrator.
> Password: 
> 530 User cannot log in.
> Login failed.
> ftp> user administrator
> 331 Password required for administrator.
> Password: 
> 530 User cannot log in.
> Login failed.
> ************************************************
>
> But I dont have alerts being triggerd. Could anyone please let me know where am I going wrong?
>
> Thanks!
> Manju
> ------------------------------------------------------------------------------
> Download Intel&#174; Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs