[Snort-sigs] RE: FTP brute force login signature
j.riden at ...1766...
Thu Nov 13 12:51:03 EST 2003
"adam.w.hogan" <adam.w.hogan at ...1605...> writes:
> But, the rule does not catch programs that use a much smaller list of passwords to try. Lately I've seen a lot of worms that use a simple list of passwords like user name, user name backwards, admin, secret, blank, etc. instead of running through a giant dictionary. So I want to through out an idea for comments to shorten the necessary threshold triggers. I guess the trick is putting it just out of range of the user who can't remember his password. Here's my suggestion for the rule:
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute force attack"; content:"530 Login "; nocase; flow:from_server,established; threshold: type both, track by_dst, count 5, seconds 10; sid:10491;)
> Any thoughts?
Why not cover the brute-force case with a threshold, and then add
separate rules for default and common passwords?
(Assuming you're running something like john the ripper to make sure
people don't really have guessable passwords.)
James Riden / j.riden at ...1766... / Systems Programmer - Security
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
Tel: +64 6 3569099 ext. 7402 / mobile: 025 671 6418
More information about the Snort-sigs