Snort mailing list archives
Re: Trouble in triggering the snort rule to detect FTP Brute Force attack
From: Joel Esler <joel.esler () me com>
Date: Mon, 12 Apr 2010 10:07:13 -0400
It looks like your connection is going from your home network outbound, so if you have your variables defined, you might not get the result you were expecting. However, to troubleshoot, you can try setting your variables to "any", and try removing your threshold statements from the rule. See if it triggers without the thresholds then adjust from there. -- Sent from my iPad AIM: eslerjoel On Apr 12, 2010, at 6:07 AM, manjushree ks <manjushree.ks () hotmail com> wrote:
Hi, This is Manju writing in to request any suggestions on the below snort rule, Rule that will detect more than 3 unsuccessful login attempts on a FTP server within a minute with username administrator or Administrator or ADMINISTRATOR. The Hacker is trying to login with the username administrator or Administrator orADMINISTRATOR. Below is the rule that I have been trying out, alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Potential Brute Force Attack"; flow:to_server,established;content:"530 ";depth:4;pcre:"/530\s+(Login|User|Failed|Not|Logged|In)/smi";content:"Administrator"; nocase;threshold:type threshold, track by_src, count 3,seconds 60; classtype:suspicious-login; sid:3000002;) I have tried to login into a FTP server and below are the results, ****************************************** root@ubuntu:~# ftp ftp.microsoft.com Connected to ftp.microsoft.akadns.net. 220 Microsoft FTP Service Name (ftp.microsoft.com:manjushree): administrator 331 Password required for administrator. Password: 530 User cannot log in. Login failed. Remote system type is Windows_NT. ftp> user administrator 331 Password required for administrator. Password: 530 User cannot log in. Login failed. ftp> user administrator 331 Password required for administrator. Password: 530 User cannot log in. Login failed. ************************************************ But I dont have alerts being triggerd. Could anyone please let me know where am I going wrong? Thanks! Manju ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Trouble in triggering the snort rule to detect FTP Brute Force attack manjushree ks (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Eoin Miller (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Nigel Houghton (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack evilghost () packetmail net (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Joel Esler (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack evilghost () packetmail net (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack CunningPike (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack evilghost () packetmail net (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Nigel Houghton (Apr 12)
- Re: Trouble in triggering the snort rule to detect FTP Brute Force attack Eoin Miller (Apr 12)