[Snort-sigs] Trouble in triggering the snort rule to detect FTP Brute Force attack

Joel Esler joel.esler at ...3366...
Mon Apr 12 10:07:13 EDT 2010


It looks like your connection is going from your home network outbound, so if you have your variables defined, you might not get the result you were expecting. 

However, to troubleshoot, you can try setting your variables to "any", and try removing your threshold statements from the rule. See if it triggers without the thresholds then adjust from there. 

--
Sent from my iPad
AIM: eslerjoel

On Apr 12, 2010, at 6:07 AM, manjushree ks <manjushree.ks at ...12...> wrote:

> Hi, 
> 
> This is Manju writing in to request any suggestions on the below snort rule,
> 
> Rule that will detect more than 3 unsuccessful login attempts on a FTP server within a minute with username administrator or Administrator or ADMINISTRATOR. The Hacker is trying to login with the username administrator or Administrator orADMINISTRATOR.
> 
> 
> Below is the rule that I have been trying out,
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP Potential Brute Force Attack"; flow:to_server,established;content:"530 ";depth:4;pcre:"/530\s+(Login|User|Failed|Not|Logged|In)/smi";content:"Administrator"; nocase;threshold:type threshold, track by_src, count 3,seconds 60; classtype:suspicious-login; sid:3000002;)
> 
> I have tried to login into a FTP server and below are the results,
> 
> ******************************************
> root at ...3478...:~# ftp ftp.microsoft.com
> Connected to ftp.microsoft.akadns.net.
> 220 Microsoft FTP Service
> Name (ftp.microsoft.com:manjushree): administrator
> 331 Password required for administrator.
> Password:
> 530 User cannot log in.
> Login failed.
> Remote system type is Windows_NT.
> ftp> user administrator
> 331 Password required for administrator.
> Password: 
> 530 User cannot log in.
> Login failed.
> ftp> user administrator
> 331 Password required for administrator.
> Password: 
> 530 User cannot log in.
> Login failed.
> ************************************************
> 
> But I dont have alerts being triggerd. Could anyone please let me know where am I going wrong?
> 
> Thanks!
> Manju
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list