[Snort-sigs] Kerberos login failure detection

waldo kitty wkitty42 at ...3507...
Mon Sep 15 14:47:15 EDT 2014

On 9/15/2014 10:28 AM, Sharif Uddin wrote:
> Hello
> I would like to set up an alert for this in my network. I have found the
> following guide but the alert is not producing any results
> http://foxtrot7security.blogspot.co.uk/2011/12/defeat-domain-user-spraying-brute_28.html
> # ad login failed
> alert tcp any 88 -> any any (msg:"Possible domain user spraying detected"; \
> flow:established, to_client; \
> content:"|05|"; offset:14; depth:15; \
> content:"|1e|"; distance:4; within:1; \
> content:"|18|"; distance:30; within:1; \
> detection_filter:track by_dst, count 1, seconds 60; \
> reference:url,foxtrot7security.blogspot.com/2011/12/defeat-domain-user-spraying-brute_28.html; \
> classtype:attempted-user; \
> sid:1000002; \
> rev:0;)

firstly, what version of snort are you using?

in think your problem is going to stem from the combined "offset", "depth", 
"distance" and "within" options... i say this because how they operate has 
changed in recent versions of snort as compared to that which was available back 
in December of 2011... the rule might work with the use of one of the "raw*" 
modifiers or a slightly different manner of specifying where the data is to be 
found in the buffer it is contained in... hopefully this helps point you in the 
right direction ;)

  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

More information about the Snort-sigs mailing list