[Snort-sigs] FTP brute Force attack
james.lay at ...3513...
Thu Jun 13 10:30:55 EDT 2013
This rule is firing on the response FROM your server
(flow:from_server,established, so the "source" is going to be your
server, the destination is going to be the host that is trying to brute
force your server. Hope that helps.
From: sumitkamboj88 at ...2420... [mailto:sumitkamboj88 at ...2420...]
Sent: Thursday, June 13, 2013 5:34 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] FTP brute Force attack
i am using below rule to detect ftp brute force attack.
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP
flow:from_server,established; content:"530 ";
threshold: type threshold, track by_dst, count 5, seconds 60;
it is working properly.but when i check generated log file using
u2spewfoo it shows source of attack as destination and destination of
attack as a source(means it shows attacker as a target).i also know why
it is happening because "530 login incorrect" message generated by FTP
I just want to know there is any way so that i got a generated log which
shows actual source and destination of attack.
Guru Nanak Dev University, Amritsar
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs