[Snort-sigs] RE: FTP brute force login signature

adam.w.hogan adam.w.hogan at ...1605...
Thu Nov 13 07:15:12 EST 2003

Excellent idea, thresholding is turning out to be an incredibly useful feature.  I work on a ridiculously large network, so anything to help limit the amount of data and the number of false positives is a god-send. 

I tested the rule Milani suggested for FTP Brute force attack last night with a few publicly available dictionary attack programs [0].  The rule did an excellent job of catching the programs that run through a giant list of words to try as passwords.  It greatly reduced the amount of alerts to look through, and more importantly, it cuts out false positives from the casual user who fat-fingers the keyboard while typing in their password.

But, the rule does not catch programs that use a much smaller list of passwords to try.  Lately I've seen a lot of worms that use a simple list of passwords like user name, user name backwards, admin, secret, blank, etc. instead of running through a giant dictionary.  So I want to through out an idea for comments to shorten the necessary threshold triggers.  I guess the trick is putting it just out of range of the user who can't remember his password.  Here's my suggestion for the rule:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute force attack"; content:"530 Login "; nocase; flow:from_server,established;  threshold: type both, track by_dst, count 5, seconds 10; sid:10491;)

Any thoughts?


[0] www.packetstorm.com

-----Original Message-----
From: Milani Paolo [mailto:Paolo.Milani at ...1843...]
Sent: Wednesday, November 12, 2003 10:04 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] RE: FTP brute force login signature


I think that with the new threshholding capabilities you can write rules for a brute force login attempt.. These features are documented in doc/README.threshholding (and implemented from version 2.0.2).

I am going to try, although I am not very familiar with this new feature, so
I'll start with the ftp bad login rule mentioned by Adam.

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login "; nocase; flow:from_server,established; classtype:bad-unknown; sid:491; rev:5;)

(personally I would prefer content:"530";within 3; since the text after the 530 code is not rfc defined, and the space may be replaced by - if message is longer than one line. Of course this may in turn fail if server sends multiple replies in a single packet, but that doesn't usually happen as far as I know.)

and add threshhold option:

threshhold: type both,track by_dst,count 100,seconds 100;

Type both means that after 100 times that alert happens in 100 seconds, an alert is issued, then no more such alerts are issued in the time period.
track by_dst means that we would be tracking how many such packets have our ftp server as destination, so we can also catch distributed brute force attacks.
Of course count and seconds need to be tuned.

So here it is:
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute force attack"; content:"530 Login "; nocase; flow:from_server,established;  threshhold: type both,track by_dst,count 100,seconds 100;sid:10491;)

I have not tested this, so take it with due caution.

I think it is also possible to have multiple rules count against the same threshhold, by giving them the same sid (ugly!) so we could also add the other rule Adam suggested:

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Brute force attack"; content: "PASS"; nocase; offset:0; depth:4; content:"|0a|"; within:3;  flow:from_client,established;threshhold: type both,track by_dst,count 100,seconds 100; sid:10491;)

honestly I do not know if this will work at all, I still have 2.0.0 installed, or i would test this before saying something stupid.
Message: 2
Date: Mon, 10 Nov 2003 20:25:39 +0530
From: "Mandar S. Dalvi" <mandard at ...2023...>
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] Snort Rules

I am trying to detect the Brute force FTP login attempt.
Does snort detect the Brute force FTP login attempt,if yes what is the
exact rule name for this?



Message: 3
Subject: RE: [Snort-sigs] Snort Rules
Date: Tue, 11 Nov 2003 09:31:25 -0500
From: "adam.w.hogan" <adam.w.hogan at ...1605...>
To: <snort-sigs at lists.sourceforge.net>
Cc: "Mandar S. Dalvi" <mandard at ...2023...>

Rules 489 and 491 are the rules for INFO FTP No Password and INFO FTP
Bad login.  An excessive amount of alerts on these rules in a small time
frame can indicate a brute force attack.


This message and its attachments are addressed solely to the persons
above and may contain confidential information. If you have received
the message in error, be informed that any use of the content hereof
is prohibited. Please return it immediately to the sender and delete
the message. Should you have any questions, please contact us by
replying to MailAdmin at ...1844... Thank you

This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net


Note: The information contained in this message may be privileged and confidential and thus protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you.


More information about the Snort-sigs mailing list