[Snort-sigs] sid 718 Description

Warchild warchild at ...288...
Tue Jan 22 19:45:09 EST 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert tcp $EXTERNAL_NET any <- $HOME_NET 23 (msg:"TELNET login incorrect"; content:"Login incorrect"; flags: A+; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:2;) 

--
Sid: 718

--
Summary:
An "Login incorrect" message was deteced during a telnet session.

--
Impact:
The login process failed as part of the telnet authentication process.  In
a worse case scenario, someone may be trying to brute-force/enumerate user
accounts and passwords.

--
Detailed Information:
The login process failed as part of the telnet authentication process.  In 
a worse case scenario, someone may be trying to brute-force/enumerate user 
accounts and passwords.  This may just be a user who incorrectly typed
his/her login name and or password and is therefore legitimate traffic.

--
Attack Scenarios:
An attacker attempts known/common login name and passwords as part of an
attempt to gain access to a system running the telnet daemon.  

--
Ease of Attack:
Trivial for basic attacks -- an attacker simply needs access to a telnet
client and the motivation and time to try to guess/brute-force login names
and passwords.

--
False Positives:
A legitimate user accidentally typed in his/her/their login and/or password
incorrectly, triggering a "Login incorrect" message.

--
False Negatives:
If a particular telnet daemon does not use "Login incorrect" to signal an
incorrect login, legitimate user errors and potential malicious activity
may pass undetected.

--
Corrective Action:
Check corresponding logs from the machine in question to see if mischief
was happening.  If so, determine what (if any) accounts may have been
accessed, and whether or not the remote user is a legitimate one.  

Disallow telnet access, and encourage the use of more secure methods.

--
Contributors:
Warchild <warchild at ...288...>
Jon Hart <jhart at ...289...>

-- 
Additional References:
http://www.openssh.org
http://www.ssh.com
http://www.cert.org/security-improvement/#practices






More information about the Snort-sigs mailing list