[Snort-sigs] Rule for detecting MS Exchange SMTP AUTH LOGON brute force attemp ts.

Brian bmc at ...95...
Mon Nov 17 12:10:27 EST 2003


On Thu, Nov 13, 2003 at 01:41:28PM -0500, Grejda, Eric wrote:
> alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"MS Exchange SMTP AUTH
> LOGON brute force attempt"; content:"Authentication unsuccessful";
> offset:54; nocase; rev:2; classtype:successful-user; threshold:type
> threshold, track by_dst, count 5, seconds 60; sid:1000500;)

A few things:

1) you should really force this to be inside a flow.

    alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"MS Exchange SMTP 
        AUTH LOGON brute force attempt"; content:"Authentication unsuccessful";
        offset:54; nocase; rev:2; classtype:successful-user; threshold:type 
        threshold, track by_dst, count 5, seconds 60; sid:1000500;)

2) You've added a rather large offset.  On the exchange servers I've
   seen, this is too large.  Since this is a generic authentication
   failure message, its not just exchange we would be alerting on.  So
   lets change the message too.
    
    alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"SMTP authentication 
        brute force attempt"; content:"Authentication unsuccessful"; nocase; 
        rev:2; classtype:successful-user; threshold:type threshold, 
        track by_dst, count 5, seconds 60; sid:1000500;)

3) You don't use $SMTP_SERVERS, which is a default variable useful for
   quick rule tuning.

    alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP authentication 
        brute force attempt"; content:"Authentication unsuccessful"; nocase; 
        rev:2; classtype:successful-user; threshold:type threshold, 
        track by_dst, count 5, seconds 60; sid:1000500;)

4) By using track by_dst, you won't pick up on someone using a number
   of hosts to do the brute force.  Since you only care about the
   server error message anyway, we should track by source IP.
    
    alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP authentication 
        brute force attempt"; content:"Authentication unsuccessful"; nocase; 
        rev:2; classtype:successful-user; threshold:type threshold, 
        track by_src, count 5, seconds 60; sid:1000500;)

5) Since the rev is bumped every time you modify a rule, I like
   putting it at the end, so its easy to automate bumping.
    
    alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP authentication 
        brute force attempt"; content:"Authentication unsuccessful"; nocase; 
        classtype:successful-user; threshold:type threshold, track by_src, 
        count 5, seconds 60; sid:1000500; rev:2;)

Our final revision, after cleaning it up a bit, looks like this:

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP authentication brute force attempt"; content:"Authentication unsuccessful"; nocase; classtype:successful-user; threshold:type threshold, track by_src, count 5, seconds 60; sid:1000500; rev:3;)

The revised rule is basically the same as the original rule, but its more 
"portable" to other environments.  This is exactly the style of rule you 
should expect to see quite a bit of shortly.

-brian




More information about the Snort-sigs mailing list