[Snort-sigs] Rule Needed

Alex McDonnell amcdonnell at sourcefire.com
Wed May 16 13:36:59 EDT 2018


You can do number 1 yourself using the detection_filter rule option. For
number 2 you have the details of what that is, but unless you know the
password, you can't detect the same password being used over and over.

On Wed, May 16, 2018 at 1:28 PM, Beshoy Atef via Snort-sigs <
snort-sigs at lists.snort.org> wrote:

> Hello Snort Team,
>
> I have came across something that you might be able to help me in,
>
> We had a pen testing project, and we had a recommendations of applying
> rule to detect password sprays,
>
> What happened is that the pen tester was able to run a script that send
> multiple sessions to login to multiple machines using the different
> usernames but with the same password, till he was able to login.
>
> I need a rule that can detect the following:
>
> 1) If multiple login sessions was initiated from the same machine -same
> source ip-  within low time frame.
> 2) It was using different usernames but all used the same password.
> 3) It was not destined to one machine that is why this ip was not locked
> out.
>
> I would appreciate if you can guide me to get this rule implemented.
>
> Thanks again.
> Beshoy
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.snort.org
> https://lists.snort.org/mailman/listinfo/snort-sigs
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Please follow these rules: https://snort.org/faq/what-is-
> the-mailing-list-etiquette
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180516/22a134ba/attachment.html>


More information about the Snort-sigs mailing list