[Snort-sigs] Rule Needed

Beshoy Atef beshoy.atef88 at yahoo.com
Thu May 17 18:25:51 EDT 2018


 Thank you Phillip so much for your reply,

I want to alert if any number of SSH traffic originated from any one source IP -tracking has to be from source IP and the destination port to b 22- 
So here I need to alert on a specific network protcol which is SSH, and I want to track by source IP.
I tried detection filter, but detection filter needs to determine what is the source ip which I need to put as any and there is no option to enter the destination port as 22.

Any other suggestions?
    On Wednesday, May 16, 2018, 11:09:52 AM PDT, Phillip Lee <phillile at sourcefire.com> wrote:  
 
 Hey Beshoy,In order to write a proper rule, you need to scope properly.  As Alex mentioned already, to alert against same source ip within low time frame, detection_filter is your friend.
Regarding your latest comment, if you don’t know username/password, nor the protocol, then you’re not left with a lot of context to distinguish between good and bad traffic.  Assuming as a defender, you’re protecting some application, then understand what application you’re protecting and the protocols used to send the password over.  If you’re trying to detect against a specific type of tool that runs the password spray, then understand that tool and try to figure out some defining characteristics of that tool.
Your original ask of ‘detect a password spray attack against any protocol against any web application’ is too broad to create generic coverage for without creating way too many false positives. Regarding your fast_pattern question - check the following from the snort manual:http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node32.html#SECTION004522000000000000000

On May 16, 2018, at 2:01 PM, Beshoy Atef via Snort-sigs <snort-sigs at lists.snort.org> wrote:
 Alex, Thank you for your reply,

However both 1, 2 & 3 for the same event not different events, the problem is that during a pentest I would never know what this password could be.
The attack in general is named password spray attack. could be used on different protcols, ssh, rdp, rlogin and any web application that can accept usernames and passwords, and so on.    On Wednesday, May 16, 2018, 10:37:02 AM PDT, Alex McDonnell <amcdonnell at sourcefire.com> wrote:  
 
 You can do number 1 yourself using the detection_filter rule option. For number 2 you have the details of what that is, but unless you know the password, you can't detect the same password being used over and over. 
On Wed, May 16, 2018 at 1:28 PM, Beshoy Atef via Snort-sigs <snort-sigs at lists.snort.org> wrote:

Hello Snort Team,

I have came across something that you might be able to help me in,

We had a pen testing project, and we had a recommendations of applying rule to detect password sprays,

What happened is that the pen tester was able to run a script that send multiple sessions to login to multiple machines using the different usernames but with the same password, till he was able to login.

I need a rule that can detect the following:
1) If multiple login sessions was initiated from the same machine -same source ip-  within low time frame.2) It was using different usernames but all used the same password.3) It was not destined to one machine that is why this ip was not locked out.

I would appreciate if you can guide me to get this rule implemented.

Thanks again.
Beshoy
______________________________ _________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org
https://lists.snort.org/ mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is- the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/# rule-downloads">emerging threats</a>!



  _______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.snort.org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180517/38372dc8/attachment.html>


More information about the Snort-sigs mailing list