[Snort-sigs] FTP brute Force attack

waldo kitty wkitty42 at ...3507...
Thu Jun 13 12:28:55 EDT 2013

On 6/13/2013 07:33, sumitkamboj88 at ...2420... wrote:
> Hello everyone
> i am using below rule to detect ftp brute force attack.
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"ET SCAN Potential FTP Brute-Force attempt";
> flow:from_server,established; content:"530
> "; pcre:"/530\s+(Login|User|Failed|Not)/smi"; classtype:unsuccessful-user;
> threshold: type threshold, track by_dst, count 5, seconds 60; sid:2002383; rev:10;)
> it is working properly.but when i check generated log file using u2spewfoo it
> shows source of attack as destination and destination of
> attack as a source(means it shows attacker as a target).i also know why it is
> happening because "530 login incorrect" message generated by FTP server.
> I just want to know there is any way so that i got a generated log which shows
> actual source and destination of attack.

no, not with snort or most snort related tools... the rule is reporting 
accurately, though...

what we have done, in an auto-response tool, is to adjust the message to add 
"BLOCKING DESTINATION"... the code in the tool detects that additional text in 
the MSG and flips the source and destination entries internally for all further 
processing... the snort log still reports them "backwards" but the 
auto-responder reports the blocked site as the "source" of the apparent 
attack... we've just had to train out folks to see them backwards in the same 
way as the auto-responder when they see the additional text in the MSG...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-sigs mailing list