[Snort-sigs] Failed Cisco router authentication attempts/rule

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Wed Feb 18 14:57:01 EST 2004


Any input on this? I am looking for signatures that compliment the full
Cisco line of products. Since Cisco is also a predominant player in the
Infrastructure market, has there been any thought about including them
standard in the snort signature rule sets?

Thanks,
Mark


                                                                                                                                                 
                      Mark.Schutzmann at ...2233...                                                                                                  
                      Sent by:                           To:       Brian <bmc at ...95...>                                                         
                      snort-sigs-admin at ...551...        cc:       Joshua Wright <jwright at ...2228...>, snort-sigs                               
                      ceforge.net                         <snort-sigs at lists.sourceforge.net>, snort-sigs-admin at lists.sourceforge.net             
                                                         Subject:  Re: [Snort-sigs] Failed Cisco router authentication attempts/rule             
                                                                                                                                                 
                      02/17/2004 09:47 AM                                                                                                        
                                                                                                                                                 
                                                                                                                                                 





Here are a few Cisco-specific rules that I wrote:

# Detects invalid or failed logon to Cisco Switch
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Cisco Switch Login
Attempt"; content:"%MGMT-5-"; nocase; classtype:attempted-recon;
sid:10000000; rev:1;)
# Detects invalid or failed logon to switch or router
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Cisco Switch or Router
Login Attempt"; content:"% Bad passwords"; nocase;
classtype:attempted-recon; sid:10000001; rev:1;)
# Detects invalid or failed Cisco PIX login attempts via telnet
# alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"Cisco PIX Login
Attempt"; content:"PIX passwd"; nocase; classtype:attempted-recon;
sid:10000002; rev:1;)
#Detects attempted IPSEC-VPN connections
alert udp $HOME_NET any -> $External_NET 500 (msg:"Attempted IPSEC VPN
Connection"; classtype:policy-violation; sid:10000008; rev:1;)

Any thoughts or better ones?

Best Regards,
Mark



                      Brian <bmc at ...95...>

                      Sent by:                           To:       Joshua
Wright <jwright at ...2228...>
                      snort-sigs-admin at ...551...        cc:
snort-sigs <snort-sigs at lists.sourceforge.net>

                      ceforge.net                        Subject:  Re:
[Snort-sigs] Failed Cisco router authentication attempts/rule


                      02/16/2004 09:44 PM







On Mon, Feb 16, 2004 at 09:48:14PM -0500, Joshua Wright wrote:
> I noticed there wasn't a rule for failed Cisco router authentication
> attempts - in case this is useful for someone:
>
> alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"Failed Cisco Device \
> Authentication"; content:"% Login invalid"; \
> flow:from_server,established; depth:2; classtype:attempted-admin; \
> sid:100002; rev:1;)

FYI, this rule isn't valid.  It won't load in modern versions of snort.
"depth:2" says look for the pattern "% Login invalid" in the first 2
bytes of the packet.  "% Login invalid" is much longer than 2 bytes.
Fix that, and you should be good to go.

Other than that, if the idea works for you, awesome.

Brian


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs







-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs









More information about the Snort-sigs mailing list