[Snort-sigs] FTP brute Force attack

Lay, James james.lay at ...3513...
Thu Jun 13 10:30:55 EDT 2013



This rule is firing on the response FROM your server
(flow:from_server,established, so the "source" is going to be your
server, the destination is going to be the host that is trying to brute
force your server.  Hope that helps.




From: sumitkamboj88 at ...2420... [mailto:sumitkamboj88 at ...2420...] 
Sent: Thursday, June 13, 2013 5:34 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FTP brute Force attack


Hello everyone 

i am using below rule to detect ftp brute force attack. 


alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP
Brute-Force attempt"; 

flow:from_server,established; content:"530 ";
pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user; 

threshold: type threshold, track by_dst, count 5, seconds 60;
sid:2002383; rev:10;)


it is working properly.but when i check generated log file using
u2spewfoo it shows source of attack as destination and destination of 

attack as a source(means it shows attacker as a target).i also know why
it is happening because "530 login incorrect" message generated by FTP

I just want to know there is any way so that i got a generated log which
shows actual source and destination of attack.


Warm Regards
Sumit Kumar
Guru Nanak Dev University, Amritsar
Mo:- 8968227299

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130613/09b74748/attachment.html>

More information about the Snort-sigs mailing list