[Snort-sigs] Trouble in triggering the snort rule to detect FTP Brute Force attack

manjushree ks manjushree.ks at ...12...
Mon Apr 12 06:07:29 EDT 2010


Hi, 

This is Manju writing in to request any suggestions on the below snort rule,

Rule that will detect more than 3
unsuccessful login attempts on a FTP server within a minute with
username administrator or Administrator or ADMINISTRATOR. The Hacker is
trying to login with the username administrator or Administrator
orADMINISTRATOR.


Below is the rule that I have been trying out,

alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Potential Brute Force Attack"; flow:to_server,established;content:"530 ";depth:4;pcre:"/530\s+(Login|User|Failed|Not|Logged|In)/smi";content:"Administrator"; nocase;threshold:type threshold, track by_src, count 3,seconds 60; classtype:suspicious-login; sid:3000002;)

I have tried to login into a FTP server and below are the results,

******************************************
root at ...3478...:~# ftp ftp.microsoft.com
Connected to ftp.microsoft.akadns.net.
220 Microsoft FTP Service
Name (ftp.microsoft.com:manjushree): administrator
331 Password required for administrator.
Password:
530 User cannot log in.
Login failed.
Remote system type is Windows_NT.
ftp> user administrator
331 Password required for administrator.
Password: 
530 User cannot log in.
Login failed.
ftp> user administrator
331 Password required for administrator.
Password: 
530 User cannot log in.
Login failed.
************************************************

But I dont have alerts being triggerd. Could anyone please let me know where am I going wrong?

Thanks!
Manju 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100412/79c7005c/attachment.html>


More information about the Snort-sigs mailing list