[Snort-sigs] RE: FTP brute force login signature

James Riden j.riden at ...1766...
Thu Nov 13 12:51:03 EST 2003

"adam.w.hogan" <adam.w.hogan at ...1605...> writes:

> But, the rule does not catch programs that use a much smaller list of passwords to try.  Lately I've seen a lot of worms that use a simple list of passwords like user name, user name backwards, admin, secret, blank, etc. instead of running through a giant dictionary.  So I want to through out an idea for comments to shorten the necessary threshold triggers.  I guess the trick is putting it just out of range of the user who can't remember his password.  Here's my suggestion for the rule:
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute force attack"; content:"530 Login "; nocase; flow:from_server,established;  threshold: type both, track by_dst, count 5, seconds 10; sid:10491;)
> Any thoughts?

Why not cover the brute-force case with a threshold, and then add
separate rules for default and common passwords?

(Assuming you're running something like john the ripper to make sure
people don't really have guessable passwords.)

James Riden / j.riden at ...1766... / Systems Programmer - Security
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
Tel: +64 6 3569099 ext. 7402 / mobile: 025 671 6418

More information about the Snort-sigs mailing list