[Snort-sigs] Rule for detecting MS Exchange SMTP AUTH LOGON b rute force attemp ts.

Grejda, Eric EGrejda at ...2028...
Tue Nov 18 06:41:08 EST 2003

> 1) you should really force this to be inside a flow.
> ...

I'm not going to respond to this just yet, not until I get a better handle
on how Snort handles flows.

> 2) You've added a rather large offset.  On the exchange servers I've

The offset was taken from an article that I'd read about the problem the
rule's supposed to detect.  I knew that I was taking a chance on it but
until I'd determined if the offset changed from release to release I decided
to stick with the information I'd found.  I can forward the URL if you like.

>    seen, this is too large.  Since this is a generic authentication
>    failure message, its not just exchange we would be alerting on.  So
>    lets change the message too.

Makes sense to me.

One of the things that I'd done was make the trigger string a bit more
generic.  Specifically, it should be looking for "535 5.7.3 Authentication
unsuccessful" but after some debate over whether or not the "5.3.5" string
could change from revision to revision, that was dropped, along with "535".

> 3) You don't use $SMTP_SERVERS, which is a default variable useful for
>    quick rule tuning.

True.  More a quirk of my day-to-day network environment than anything else.

> 4) By using track by_dst, you won't pick up on someone using a number
>    of hosts to do the brute force.  Since you only care about the
>    server error message anyway, we should track by source IP.

True.  I've not yet heard of any one person using multiple IP addresses to
brute force SMTP AUTH so I decided to go with tracking by destination IP.  I
guess that was a bad idea.

> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP 
> authentication brute force attempt"; content:"Authentication 
> unsuccessful"; nocase; classtype:successful-user; 
> threshold:type threshold, track by_src, count 5, seconds 60; 
> sid:1000500; rev:3;)

Looks like I messed that one up..  First tries at anything usually aren't

Eric Grejda

More information about the Snort-sigs mailing list