[Snort-users] Threshold settings

Jeff Kell jeff-kell at ...6282...
Wed Dec 31 12:18:02 EST 2003


The "current" rules for 2.1.0 have, among other things, signatures 2273 
and 2274 warning of "brute force login attempts" at IMAP and POP3.  The 
rules contain the threshold directives:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute 
force attempt"; flow:to_server,established; content:"LOGIN"; nocase; 
threshold:type threshold, track by_dst, count 5, seconds 60; 
classtype:suspicious-login; sid:2273; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute 
force attempt"; flow:to_server,established; content:"USER"; nocase; 
threshold:type threshold, track by_dst, count 5, seconds 60; 
classtype:suspicious-login; sid:2274; rev:1;)

Two questions (posed to the snort-sigs list, but not strictly 
sig-related additions here):

(1) Do you have to make entries in threshold.conf for these SIDs?  In 
the supplied threshold.conf there are no active directives, only 
comments.  In other words, doesn't defining the thresholds within the 
SID going to set the threshold settings, or do you have to duplicate 
them in threshold.conf as well?

(2) Both rules are tracking by_dst.  Our central POP/IMAP servers are 
logging lots of these sigs (lots of people logging in or periodically 
checking for new mail).  Shouldn't they be tracking by_src instead?

Jeff





More information about the Snort-users mailing list