[Snort-sigs] Failed Cisco router authentication attempts/rule

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Tue Feb 17 07:50:02 EST 2004

Here are a few Cisco-specific rules that I wrote:

# Detects invalid or failed logon to Cisco Switch
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Cisco Switch Login
Attempt"; content:"%MGMT-5-"; nocase; classtype:attempted-recon;
sid:10000000; rev:1;)
# Detects invalid or failed logon to switch or router
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Cisco Switch or Router
Login Attempt"; content:"% Bad passwords"; nocase;
classtype:attempted-recon; sid:10000001; rev:1;)
# Detects invalid or failed Cisco PIX login attempts via telnet
# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Cisco PIX Login
Attempt"; content:"PIX passwd"; nocase; classtype:attempted-recon;
sid:10000002; rev:1;)
#Detects attempted IPSEC-VPN connections
alert udp $HOME_NET any -> $External_NET 500 (msg:"Attempted IPSEC VPN
Connection"; classtype:policy-violation; sid:10000008; rev:1;)

Any thoughts or better ones?

Best Regards,

                      Brian <bmc at ...95...>                                                                                                      
                      Sent by:                           To:       Joshua Wright <jwright at ...2228...>                                           
                      snort-sigs-admin at ...551...        cc:       snort-sigs <snort-sigs at lists.sourceforge.net>                                 
                      ceforge.net                        Subject:  Re: [Snort-sigs] Failed Cisco router authentication attempts/rule             
                      02/16/2004 09:44 PM                                                                                                        

On Mon, Feb 16, 2004 at 09:48:14PM -0500, Joshua Wright wrote:
> I noticed there wasn't a rule for failed Cisco router authentication
> attempts - in case this is useful for someone:
> alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"Failed Cisco Device \
> Authentication"; content:"% Login invalid"; \
> flow:from_server,established; depth:2; classtype:attempted-admin; \
> sid:100002; rev:1;)

FYI, this rule isn't valid.  It won't load in modern versions of snort.
"depth:2" says look for the pattern "% Login invalid" in the first 2
bytes of the packet.  "% Login invalid" is much longer than 2 bytes.
Fix that, and you should be good to go.

Other than that, if the idea works for you, awesome.


SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list