Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Can someone show an example how to force snort block ssh bruteforce?

From: "Castle, Shane" <scastle () bouldercounty org>
Date: Mon, 23 Apr 2012 15:11:51 +0000
See the info about snortsam, too: http://www.snortsam.net/

Even though it was originally written for Check Point FW-1 (hence the "sam") it can tickle other firewalls as well. The 
beta Barnyard2 has snortsam written into it and it should soon find its way into the standard release.

By the time Snort alerts on the SSH brute force it may be too late for any truly vulnerable systems. If at all possible 
you should harden potentially vulnerable systems using SSH: not use passwords at all, if possible (certs only); move to 
a nonstandard port; longer and more complex passphrases; and so on. A HIDS solution on the system running sshd may be 
able to respond much faster.

-- 
Shane Castle
Data Security Mgr, Boulder County IT
CISSP GSEC GCIH


-----Original Message-----
From: waldo kitty [mailto:wkitty42 () windstream net] 
Sent: Monday, April 23, 2012 08:56
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Can someone show an example how to force snort block ssh bruteforce?

On 4/23/2012 08:32, kay wrote:

It would be nice if you told me the app name which reacts to snort
alerts and blocks traffic.


currently the "app" i speak of is written in perl and known as GAR (Guardian 
Active Response)... i took over maintaining it when the previous maintainer 
disappeared several years ago... at this time, it is rather dedicated to one 
particular FOSS firewall product known as Smoothwall Express...

the concept is very simple and numerous other packages out there perform much 
the same task... simply analyze the output from snort and issue a signal to the 
network security team or directly issue a firewall block rule to the firewall 
or, if in inline mode, drop the traffic by not passing it on... depending on the 
implementation and configuration, of course... automated responses can result in 
legitimate traffic being blocked if one has not tuned the snort rules and the 
security app to one's network traffic and needs... "tuning the rules" meaning to 
enable those that are needed for your network's traffic and security and disable 
those that are not desired... this also applies to your chosen monitoring 
software... for instance, you may have snort alert on certain traffic that 
arrives 5 times in 60 seconds and then you might have your monitoring software 
to raise a warning signal if it sees that alert 5 times... your monitoring 
software may or may not have the ability to react to this traffic... some do and 
some do not... some prefer to have humans looking at the reports as they happen 
and let them decide to block or not...

as far as your subject line goes, one could start off with a simple snort rule 
looking for a SYN on port 22 and counting the number of times this happens from 
the same IP within a certain period of time (thresholding/detection_filter)...


And again, your messages are are not full enough. What did you mean
when said about "snort in IPS mode handles these blocks on its own"?
=)


"on its own" meaning that it issues the block with no outside assistance... in 
other words, running in inline mode and using DROP instead of ALERT... in inline 
mode, snort bonds two NICs together and sits between them passing and watching 
the traffic flowing thru them... so it is in the perfect place to drop certain 
traffic into the bitbucket...


At the moment my prior task is to research opensource IPS systems and
choose the best, and your "on its own" words confused me.


my apologies... i wasn't aware of a possible language or syntactic problem... i 
see, now, from your quote header that you speak russian... i can provide 
translations to russian if that will help understanding my messages?


23 апреля 2012 г. 15:12 пользователь waldo kitty
<wkitty42 () windstream net>  написал:

What do you mean? Snort is an IPS, OSSEC is an IDS.


actually, snort is both IDS and IPS... but ONLY insofar as it looking at the
traffic on the wire and compares it with its rules... i use snort as an IDS with
another tool that monitors snort's alerts and set blocks based on those
alerts... snort in IPS mode handles these blocks on its own...

AFAIK, OSSEC is an IDS but it goes deeper than just using snort's alerts ;)




------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: