[Snort-sigs] RE: FTP brute force login signature

Milani Paolo Paolo.Milani at ...1843...
Wed Nov 12 07:05:04 EST 2003


I think that with the new threshholding capabilities you can write rules for a brute force login attempt.. These features are documented in doc/README.threshholding (and implemented from version 2.0.2).

I am going to try, although I am not very familiar with this new feature, so 
I'll start with the ftp bad login rule mentioned by Adam.

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login "; nocase; flow:from_server,established; classtype:bad-unknown; sid:491; rev:5;)

(personally I would prefer content:"530";within 3; since the text after the 530 code is not rfc defined, and the space may be replaced by - if message is longer than one line. Of course this may in turn fail if server sends multiple replies in a single packet, but that doesn't usually happen as far as I know.) 

and add threshhold option:

threshhold: type both,track by_dst,count 100,seconds 100;

Type both means that after 100 times that alert happens in 100 seconds, an alert is issued, then no more such alerts are issued in the time period. 
track by_dst means that we would be tracking how many such packets have our ftp server as destination, so we can also catch distributed brute force attacks.
Of course count and seconds need to be tuned. 

So here it is:
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute force attack"; content:"530 Login "; nocase; flow:from_server,established;  threshhold: type both,track by_dst,count 100,seconds 100;sid:10491;)

I have not tested this, so take it with due caution.

I think it is also possible to have multiple rules count against the same threshhold, by giving them the same sid (ugly!) so we could also add the other rule Adam suggested:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Brute force attack"; content: "PASS"; nocase; offset:0; depth:4; content:"|0a|"; within:3;  flow:from_client,established;threshhold: type both,track by_dst,count 100,seconds 100; sid:10491;)

honestly I do not know if this will work at all, I still have 2.0.0 installed, or i would test this before saying something stupid. 
Message: 2
Date: Mon, 10 Nov 2003 20:25:39 +0530
From: "Mandar S. Dalvi" <mandard at ...2023...>
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Snort Rules

I am trying to detect the Brute force FTP login attempt.
Does snort detect the Brute force FTP login attempt,if yes what is the 
exact rule name for this?



Message: 3
Subject: RE: [Snort-sigs] Snort Rules
Date: Tue, 11 Nov 2003 09:31:25 -0500
From: "adam.w.hogan" <adam.w.hogan at ...1605...>
To: <snort-sigs at lists.sourceforge.net>
Cc: "Mandar S. Dalvi" <mandard at ...2023...>

Rules 489 and 491 are the rules for INFO FTP No Password and INFO FTP
Bad login.  An excessive amount of alerts on these rules in a small time
frame can indicate a brute force attack.


This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you

More information about the Snort-sigs mailing list