[Snort-sigs] FTP brute Force attack

sumitkamboj88 at ...2420... sumitkamboj88 at ...2420...
Thu Jun 13 07:33:31 EDT 2013


Hello everyone
i am using below rule to detect ftp brute force attack.

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential
FTP Brute-Force attempt";
flow:from_server,established; content:"530 ";
pcre:"/530\s+(Login|User|Failed|Not)/smi";
classtype:unsuccessful-user;
threshold: type threshold, track by_dst, count 5, seconds
60; sid:2002383; rev:10;)

it is working properly.but when i check generated log file using u2spewfoo
it shows source of attack as destination and destination of
attack as a source(means it shows attacker as a target).i also know why it
is happening because "530 login incorrect" message generated by FTP server.
I just want to know there is any way so that i got a generated log which
shows actual source and destination of attack.
-- 

Warm Regards
Sumit Kumar
Guru Nanak Dev University, Amritsar
Mo:- 8968227299
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130613/84b6fd1c/attachment.html>


More information about the Snort-sigs mailing list