[Snort-sigs] New rules (2) for detect Hydra brute force auth

Nigel Houghton nigel at ...435...
Wed Oct 12 08:23:41 EDT 2005

On  0, rmkml <rmkml at ...324...> allegedly wrote:
> Hi,
> Please check and add this new rule for http :
> web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
> $HTTP_PORTS (msg:"WEB-ATTACKS Hydra attempt"; flow:to_server,established; 
> content:"User-Agent\: Mozilla/4.0 (Hydra)"; nocase;
> classtype:web-application-activity;)
> User-Agent...Hydra is hardcoded on hydra-http.c
> and this new rule for smtp :
> smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP 
> Hydra attempt";
> flow:to_server,established; pcre:"/^(EHLO|HELO)\s+hydra/smi"; 
> classtype:misc-attack;)

Thanks for the suggestion, but do you have any references for this? Also
if it is a "brute force auth" is there anything else you can add to the
rules to identify the actual attempt or do you intend these rules to
only fire after n attempts?
     Nigel Houghton      Research Engineer       Sourcefire Inc.
                   Vulnerability Research Team

 I require a window seat and an inflight Happy Meal, and no pickles! 
 God help you if I find pickles!

More information about the Snort-sigs mailing list