[Snort-sigs] Kerberos login failure detection
wkitty42 at ...3507...
Mon Sep 15 14:47:15 EDT 2014
On 9/15/2014 10:28 AM, Sharif Uddin wrote:
> I would like to set up an alert for this in my network. I have found the
> following guide but the alert is not producing any results
> # ad login failed
> alert tcp any 88 -> any any (msg:"Possible domain user spraying detected"; \
> flow:established, to_client; \
> content:"|05|"; offset:14; depth:15; \
> content:"|1e|"; distance:4; within:1; \
> content:"|18|"; distance:30; within:1; \
> detection_filter:track by_dst, count 1, seconds 60; \
> reference:url,foxtrot7security.blogspot.com/2011/12/defeat-domain-user-spraying-brute_28.html; \
> classtype:attempted-user; \
> sid:1000002; \
firstly, what version of snort are you using?
in think your problem is going to stem from the combined "offset", "depth",
"distance" and "within" options... i say this because how they operate has
changed in recent versions of snort as compared to that which was available back
in December of 2011... the rule might work with the use of one of the "raw*"
modifiers or a slightly different manner of specifying where the data is to be
found in the buffer it is contained in... hopefully this helps point you in the
right direction ;)
NOTE: No off-list assistance is given without prior approval.
Please *keep mailing list traffic on the list* unless
private contact is specifically requested and granted.
More information about the Snort-sigs