[Snort-sigs] New rules (2) for detect Hydra brute force auth

Alex Kirk alex.kirk at ...435...
Wed Oct 12 08:27:35 EDT 2005


Good call, I'd already asked for references off-list (in French, since 
my French is better than his English). I'll let you know if I get a 
response.

Alex

>On  0, rmkml <rmkml at ...324...> allegedly wrote:
>  
>
>>Hi,
>>
>>Please check and add this new rule for http :
>>
>>web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
>>$HTTP_PORTS (msg:"WEB-ATTACKS Hydra attempt"; flow:to_server,established; 
>>content:"User-Agent\: Mozilla/4.0 (Hydra)"; nocase;
>>classtype:web-application-activity;)
>>
>>User-Agent...Hydra is hardcoded on hydra-http.c
>>
>>and this new rule for smtp :
>>
>>smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP 
>>Hydra attempt";
>>flow:to_server,established; pcre:"/^(EHLO|HELO)\s+hydra/smi"; 
>>classtype:misc-attack;)
>>    
>>
>
>Thanks for the suggestion, but do you have any references for this? Also
>if it is a "brute force auth" is there anything else you can add to the
>rules to identify the actual attempt or do you intend these rules to
>only fire after n attempts?
> 
>+--------------------------------------------------------------------+
>     Nigel Houghton      Research Engineer       Sourcefire Inc.
>                   Vulnerability Research Team
>
> I require a window seat and an inflight Happy Meal, and no pickles! 
> God help you if I find pickles!
>
>
>-------------------------------------------------------
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>  
>





More information about the Snort-sigs mailing list