[Snort-sigs] Trouble in triggering the snort rule to detect FTP Brute Force attack

Eoin Miller eoin.miller at ...3415...
Mon Apr 12 07:58:43 EDT 2010


Could be because you are going from your $HOME_NET -> $EXTERNAL_NET when 
you are testing and your rule is only setup to trigger on $EXTERNAL_NET 
-> $HOME_NET.

-- Eoin

On 4/12/2010 6:07 AM, manjushree ks wrote:
> Hi,
>
> This is Manju writing in to request any suggestions on the below snort 
> rule,
>
> Rule that will detect more than 3 unsuccessful login attempts on a FTP 
> server within a minute with username administrator or Administrator or 
> ADMINISTRATOR. The Hacker is trying to login with the username 
> administrator or Administrator orADMINISTRATOR.
>
>
> Below is the rule that I have been trying out,
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Potential Brute 
> Force Attack"; flow:to_server,established;content:"530 
> ";depth:4;pcre:"/530\s+(Login|User|Failed|Not|Logged|In)/smi";content:"Administrator"; 
> nocase;threshold:type threshold, track by_src, count 3,seconds 60; 
> classtype:suspicious-login; sid:3000002;)
>
> I have tried to login into a FTP server and below are the results,
>
> ******************************************
> root at ...3478...:~# ftp ftp.microsoft.com
> Connected to ftp.microsoft.akadns.net.
> 220 Microsoft FTP Service
> Name (ftp.microsoft.com:manjushree): administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> Remote system type is Windows_NT.
> ftp> user administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> ftp> user administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> ************************************************
>
> But I dont have alerts being triggerd. Could anyone please let me know 
> where am I going wrong?
>
> Thanks!
> Manju

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20100412/f754f8bf/attachment.html>


More information about the Snort-sigs mailing list