[Snort-sigs] New rules (2) for detect Hydra brute force auth

Alex Kirk alex.kirk at ...435...
Wed Oct 12 08:27:35 EDT 2005

Good call, I'd already asked for references off-list (in French, since 
my French is better than his English). I'll let you know if I get a 


>On  0, rmkml <rmkml at ...324...> allegedly wrote:
>>Please check and add this new rule for http :
>>web-attacks.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 
>>$HTTP_PORTS (msg:"WEB-ATTACKS Hydra attempt"; flow:to_server,established; 
>>content:"User-Agent\: Mozilla/4.0 (Hydra)"; nocase;
>>User-Agent...Hydra is hardcoded on hydra-http.c
>>and this new rule for smtp :
>>smtp.rules:alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP 
>>Hydra attempt";
>>flow:to_server,established; pcre:"/^(EHLO|HELO)\s+hydra/smi"; 
>Thanks for the suggestion, but do you have any references for this? Also
>if it is a "brute force auth" is there anything else you can add to the
>rules to identify the actual attempt or do you intend these rules to
>only fire after n attempts?
>     Nigel Houghton      Research Engineer       Sourcefire Inc.
>                   Vulnerability Research Team
> I require a window seat and an inflight Happy Meal, and no pickles! 
> God help you if I find pickles!
>This SF.Net email is sponsored by:
>Power Architecture Resource Center: Free content, downloads, discussions,
>and more. http://solutions.newsforge.com/ibmarch.tmpl
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list