[Snort-sigs] Trouble in triggering the snort rule to detect FTP Brute Force attack

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Mon Apr 12 09:53:40 EDT 2010


Hi, this is L0rd Ch0de1m0rt.  The Emerging Threats community (a
snort-based friendly and helpful group of people) has a similar
looking FTP brute-force rule:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential
FTP Brute-Force attempt"; flow:from_server,established; dsize:<100;
content:"530 "; depth:4; pcre:"/530\s+(Login|User|Failed|Not)/smi";
classtype:unsuccessful-user; threshold: type threshold, track by_dst,
count 5, seconds 300; reference:url,doc.emergingthreats.net/2002383;
reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force;
sid:2002383; rev:11;)

This alerts on 5 failed logins within 300 seconds so tweak it as
necessary to do the needful in your environment.  If you only want to
alert on 'administrator' login attempts, I suggest you investigate
using flowbits since the attempted username and corresponding failed
login message will be in different packets.

Hope this helps.

Cheers.

-L0rd Ch0de1m0rt

On Mon, Apr 12, 2010 at 5:07 AM, manjushree ks
<manjushree.ks at ...12...> wrote:
> Hi,
>
> This is Manju writing in to request any suggestions on the below snort rule,
>
> Rule that will detect more than 3 unsuccessful login attempts on a FTP
> server within a minute with username administrator or Administrator or
> ADMINISTRATOR. The Hacker is trying to login with the username administrator
> or Administrator orADMINISTRATOR.
>
>
> Below is the rule that I have been trying out,
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Potential Brute Force
> Attack"; flow:to_server,established;content:"530
> ";depth:4;pcre:"/530\s+(Login|User|Failed|Not|Logged|In)/smi";content:"Administrator";
> nocase;threshold:type threshold, track by_src, count 3,seconds 60;
> classtype:suspicious-login; sid:3000002;)
>
> I have tried to login into a FTP server and below are the results,
>
> ******************************************
> root at ...3478...:~# ftp ftp.microsoft.com
> Connected to ftp.microsoft.akadns.net.
> 220 Microsoft FTP Service
> Name (ftp.microsoft.com:manjushree): administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> Remote system type is Windows_NT.
> ftp> user administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> ftp> user administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> ************************************************
>
> But I dont have alerts being triggerd. Could anyone please let me know where
> am I going wrong?
>
> Thanks!
> Manju
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>




More information about the Snort-sigs mailing list