[Snort-sigs] Mainframe FTP Failed Logins

paul stark starkp at ...2420...
Wed May 12 13:54:32 EDT 2010


I’m trying to write a rule that captures failed FTP logins to our
mainframe. Unfortunately it appears that all of my attempts to date
have not been successful.

The issue appears to occur because for some reason snort does not see
the 530 failed login code that is returned. The 220 status codes also
do not appear to be detected.

As you can see from the tcpdump below the user, pass and quit commands
appear to be detected correctly but the lines with the 220 and 530
status codes do not appear to contain any readable ascii data.

My question is has anyone seen this before or have any suggestions on
how I might be able to get the 530 code to appear. I had been trying
to model the rule after an emerging threats rule below:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCANPotential FTP
Brute-Force attempt";
flow:from_server,established;dsize:<100;content:"530
";depth:4;pcre:"/530\s+(PASS)/smi";threshold: type threshold, track
by_dst, count 5, seconds 300; classtype:unsuccessful-user;
sid:2002383; rev:11; reference:url,doc.emergingthreats.net/2002383;
reference:url,<a
href="http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/SCAN/SCAN_FTP_Brute_Force;)">www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs…</a>

Below is a sample failed FTP login attempt:

Connected to x.×.×.x.
220-FTPD1 IBM FTP CS V1R10 at xxxxx, 10:09:44 on 2010-05-12.
220-
220-*********************************************
220-* ZOS TEST LPAR *
220-*********************************************
220-
220 Connection will close if idle for more than 5 minutes.
User (x.×.×.x:(none)): abcd
331 Send password please.
Password:
530 PASS command failed
Login failed.
ftp> quit
221 Quit command received. Goodbye.

Below is a copy of the tcpdump output that I have been using to test
the rule with using the following snort syntax:

snort -r /root/debug.pcap -vX

05/12-10:08:25.280380 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23264 IpLen:20 DgmLen:48 DF
******S* Seq: 0×3E778E53 Ack: 0×0 Win: 0xFFFF TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 30 5A E0 40 00 7E 06 92 07 0A 8D B1 07 0A 83 .0Z. at ...180...~………
0×0020: 49 C9 3E 79 00 15 3E 77 8E 53 00 00 00 00 70 02 I.>y..>w.S….p.
0×0030: FF FF 67 E6 00 00 02 04 05 B4 01 01 04 02 ..g………..

=====================================+

05/12-10:08:25.281397 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23265 IpLen:20 DgmLen:40 DF
***A**** Seq: 0×3E778E54 Ack: 0xBC998A2 Win: 0xFFFF TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 28 5A E1 40 00 7E 06 92 0E 0A 8D B1 07 0A 83 .(Z. at ...180...~………
0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 98 A2 50 10 I.>y..>w.T….P.
0×0030: FF FF F0 2E 00 00 00 00 00 00 00 00 …………

=====================================+

05/12-10:08:25.580050 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23266 IpLen:20 DgmLen:40 DF
***A**** Seq: 0×3E778E54 Ack: 0xBC998E5 Win: 0xFFBC TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 28 5A E2 40 00 7E 06 92 0D 0A 8D B1 07 0A 83 .(Z. at ...180...~………
0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 98 E5 50 10 I.>y..>w.T….P.
0×0030: FF BC F0 2E 00 00 00 00 00 00 00 00 …………

=====================================+

05/12-10:08:25.881751 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23267 IpLen:20 DgmLen:40 DF
***A**** Seq: 0×3E778E54 Ack: 0xBC999C6 Win: 0xFEDB TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 28 5A E3 40 00 7E 06 92 0C 0A 8D B1 07 0A 83 .(Z. at ...180...~………
0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 99 C6 50 10 I.>y..>w.T….P.
0×0030: FE DB F0 2E 00 00 00 00 00 00 00 00 …………

=====================================+

05/12-10:08:27.373728 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23715 IpLen:20 DgmLen:51 DF
***AP*** Seq: 0×3E778E54 Ack: 0xBC999C6 Win: 0xFEDB TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 33 5C A3 40 00 7E 06 90 41 0A 8D B1 07 0A 83 .3\. at ...180...~..A……
0×0020: 49 C9 3E 79 00 15 3E 77 8E 54 0B C9 99 C6 50 18 I.>y..>w.T….P.
0×0030: FE DB 64 A4 00 00 55 53 45 52 20 61 62 63 64 0D ..d…USER abcd.
0×0040: 0A .

=====================================+

05/12-10:08:27.591482 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23716 IpLen:20 DgmLen:40 DF
***A**** Seq: 0×3E778E5F Ack: 0xBC999E1 Win: 0xFEC0 TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 28 5C A4 40 00 7E 06 90 4B 0A 8D B1 07 0A 83 .(\. at ...180...~..K……
0×0020: 49 C9 3E 79 00 15 3E 77 8E 5F 0B C9 99 E1 50 10 I.>y..>w._….P.
0×0030: FE C0 F0 23 00 00 00 00 00 00 00 00 …#……..

=====================================+

05/12-10:08:27.869722 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23717 IpLen:20 DgmLen:50 DF
***AP*** Seq: 0×3E778E5F Ack: 0xBC999E1 Win: 0xFEC0 TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 32 5C A5 40 00 7E 06 90 40 0A 8D B1 07 0A 83 .2\..~..……
0×0020: 49 C9 3E 79 00 15 3E 77 8E 5F 0B C9 99 E1 50 18 I.>y..>w._….P.
0×0030: FE C0 ED 0E 00 00 50 41 53 53 20 31 32 33 0D 0A ……PASS123..

=====================================+

05/12-10:08:27.993747 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23718 IpLen:20 DgmLen:40 DF
***A**** Seq: 0×3E778E69 Ack: 0xBC999FA Win: 0xFEA7 TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 28 5C A6 40 00 7E 06 90 49 0A 8D B1 07 0A 83 .(\. at ...180...~..I……
0×0020: 49 C9 3E 79 00 15 3E 77 8E 69 0B C9 99 FA 50 10 I.>y..>w.i….P.
0×0030: FE A7 F0 19 00 00 00 00 00 00 00 00 …………

=====================================+

05/12-10:08:28.749416 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23843 IpLen:20 DgmLen:46 DF
***AP*** Seq: 0×3E778E69 Ack: 0xBC999FA Win: 0xFEA7 TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 2E 5D 23 40 00 7E 06 8F C6 0A 8D B1 07 0A 83 ..]#@.~………
0×0020: 49 C9 3E 79 00 15 3E 77 8E 69 0B C9 99 FA 50 18 I.>y..>w.i….P.
0×0030: FE A7 48 58 00 00 51 55 49 54 0D 0A ..HX..QUIT..

=====================================+

05/12-10:08:28.751212 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23844 IpLen:20 DgmLen:40 DF
***A**** Seq: 0×3E778E6F Ack: 0xBC99A20 Win: 0xFE82 TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 28 5D 24 40 00 7E 06 8F CB 0A 8D B1 07 0A 83 .(]$@.~………
0×0020: 49 C9 3E 79 00 15 3E 77 8E 6F 0B C9 9A 20 50 10 I.>y..>w.o… P.
0×0030: FE 82 F0 12 00 00 00 00 00 00 00 00 …………

=====================================+

05/12-10:08:28.752409 x.×.×.x:15993 -> x.×.×.x:21
TCP TTL:126 TOS:0×0 ID:23845 IpLen:20 DgmLen:40 DF
***A***F Seq: 0×3E778E6F Ack: 0xBC99A20 Win: 0xFE82 TcpLen: 20
0×0000: 00 11 5D 16 8E 80 00 19 A9 BD FC 00 08 00 45 00 ..]………..E.
0×0010: 00 28 5D 25 40 00 7E 06 8F CA 0A 8D B1 07 0A 83 .(]%@.~………
0×0020: 49 C9 3E 79 00 15 3E 77 8E 6F 0B C9 9A 20 50 11 I.>y..>w.o… P.
0×0030: FE 82 F0 11 00 00 00 00 00 00 00 00 …………




More information about the Snort-sigs mailing list