[Snort-sigs] SSH brute force attack sig

Michael Sierchio kudzu at ...3104...
Wed Jul 6 11:51:31 EDT 2005


Paul Schmehl wrote:
> Does anyone have one?
> 
> I put together a very simple one to catch *outgoing* evil, but I'm 
> wondering if anyone has packet captures that would help with content 
> definitions.
> 
> Here's the rule I wrote:
> 
> # New rule for catching ssh brute-force attacks
> alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack"; 
> threshold: type both, track by_src, count 2000, seconds 60; 
> classtype:trojan-activity; sid:1000281; rev:2;)
> 
> It's catching some legitimate sessions, so I'l probably need to raise 
> the threshold more, but I'm wondering if there's a packet capture that 
> has something unique the rule could trigger on.

The problem with active and adaptive attacks against long-lived
cryptographic secrets (decryption keys in the pubkey pair, for
example) is that they can be accomplished quietly, over the course
of days or weeks, without detection.  The remote timing attack against
OpenSSL run without blinding is one such attack.

In some cases it's a defect in the protocol -- the adaptive chosen
plaintext attack against WEP succeeds because decryption errors and
stats aren't reported, or even accessible, in 802.11 et seq.

I'm curious about what this accomplishes, apart from raising the
ambient noise level.




More information about the Snort-sigs mailing list