[Snort-sigs] New rules (2) for detect Hydra brute force auth

rmkml rmkml at ...324...
Wed Oct 12 01:25:47 EDT 2005


Hi,

Please check and add this new rule for http :

web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-ATTACKS Hydra attempt"; flow:to_server,established; 
content:"User-Agent\: Mozilla/4.0 (Hydra)"; nocase;
classtype:web-application-activity;)

User-Agent...Hydra is hardcoded on hydra-http.c

and this new rule for smtp :

smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Hydra attempt";
flow:to_server,established; pcre:"/^(EHLO|HELO)\s+hydra/smi"; 
classtype:misc-attack;)


Regards
Rmkml




More information about the Snort-sigs mailing list