AW: [Snort-sigs] Regarding rule 491 INFO FTP Bad login

Sean Wheeler s.wheeler at ...944...
Mon Jul 14 08:09:54 EDT 2003


Hi,

On the broad assumption that a frontend is being used to display the alert,
the frontend could just lookup the rule details and make that visible.

using the rule 491 :
alert tcp $FTP_Servers $ftp -> $any $any (msg:"INFO FTP Bad login";
content:"530 Login "; nocase; flow:from_server,established;
classtype:bad-unknown; sid:491; rev:6;)

It is clear that the direction is from an FTP server, the flow also being
from_server so if the frontend looked up this kinda info from the rule in
relation to the alert it would pretty much be able to tell you who the bad
guy/girl really is.

I think this is what was requested(Martin) for snort to perform, but could
just as easily be done in the frontend(provided frontend has access to that
sensors ruleset)
without having snort burn cpu time.

Sean


-----Ursprungliche Nachricht-----
Von: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]Im Auftrag von Martin
Olsson
Gesendet: Montag, 14. Juli 2003 14:53
An: J-H. Johansen
Cc: snort-sigs at lists.sourceforge.net
Betreff: Re: [Snort-sigs] Regarding rule 491 INFO FTP Bad login



On Mon, 14 Jul 2003, J-H. Johansen wrote:
> When the 491 rule logs it logs the destination and source addresses.
> Since the rule actually kicks into effect when destination fails to login
shouldn't the log output then switch destination with source and source with
destination ?
> Does snort support this kind of switching ?

No, snort doesn't, and I don't think it should. The operator analyzing the
alert should see the alerts unmodified in order to keep it simple and
understandable.

Instead I've made a request (in the snort-devel-mailinglist) for some kind
of tagging-system where each alert is tagged with information about where
the bad guy is located, src or dst. In your case it would be the
destination side since the source is the attacked FTP server.

/Martin



-------------------------------------------------------
This SF.Net email sponsored by: Parasoft
Error proof Web apps, automate testing & more.
Download & eval WebKing and get a free book.
www.parasoft.com/bulletproofapps1
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list