[Snort-sigs] SSH brute force attack sig

Paul Schmehl pauls at ...1311...
Wed Jul 6 12:04:21 EDT 2005


--On Wednesday, July 06, 2005 11:49:28 -0700 Michael Sierchio 
<kudzu at ...3104...> wrote:

> Paul Schmehl wrote:
>> Does anyone have one?
>>
>> I put together a very simple one to catch *outgoing* evil, but I'm
>> wondering if anyone has packet captures that would help with content
>> definitions.
>>
>> Here's the rule I wrote:
>>
>> # New rule for catching ssh brute-force attacks
>> alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack";
>> threshold: type both, track by_src, count 2000, seconds 60;
>> classtype:trojan-activity; sid:1000281; rev:2;)
>>
>> It's catching some legitimate sessions, so I'l probably need to raise
>> the threshold more, but I'm wondering if there's a packet capture that
>> has something unique the rule could trigger on.
>
> The problem with active and adaptive attacks against long-lived
> cryptographic secrets (decryption keys in the pubkey pair, for
> example) is that they can be accomplished quietly, over the course
> of days or weeks, without detection.  The remote timing attack against
> OpenSSL run without blinding is one such attack.
>
> In some cases it's a defect in the protocol -- the adaptive chosen
> plaintext attack against WEP succeeds because decryption errors and
> stats aren't reported, or even accessible, in 802.11 et seq.
>
> I'm curious about what this accomplishes, apart from raising the
> ambient noise level.
>
It tells me when I have a host on my network that is performing brute force 
SSH attacks.  It's nearly impossible to secure an edu to the point that 
boxes don't get broken into.  Too many "rogue" people running around 
without a clue about security but a desire to be "online" with some fancy 
widget thing they just found out about.

So, I spend a great deal of time worrying about being a good netizen rather 
than worrying about being attacked.  I'm attacked 24/7.  What I want to 
know is when the attack succeeded.  *Some* of that can be done with 
incoming rules, but they aren't perfect.  Outgoing rules help me catch the 
ones that got through, got hacked or infected and now are attacking foreign 
hosts.

I'm not c oncerned about what's *in* the session - only that many sessions 
are being intitated, which is *not* normal.

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/




More information about the Snort-sigs mailing list