[Snort-users] Fwd: Failed FTP login signature

Christopher christopher at ...14135...
Wed May 23 10:28:22 EDT 2007


Just in case anyone else finds this useful:

The SSH, and FTP rules were taken from the bleeding snort rules.
They've been modified for use with snortsam.  These have been working
great for us.  The thresholds are what make these work great.  With
snortsam,  we can add DROP rules for everything from that IP address
to our firewall.

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (   msg: "BLOCKED
Potential SSH Scan"; \
                                                priority:1; \
                                                flags: S; flowbits: \
                                                set,ssh.brute.attempt; \
                                                threshold: type
threshold, track by_src, count 15, seconds 300; \
                                                classtype: attempted-recon; \

reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/;
\
                                                sid: 1000000; rev:13;
fwsam: src, 30 days;)

alert tcp $DMZ_NET 80 -> $EXTERNAL_NET any (    msg: "BLOCKED
Excessive HTTP 404 - Possible vulnerability scan"; \
                                                priority:1; classtype:
attempted-recon; \
                                                flow:established,from_server; \
                                                threshold: type
threshold, track by_dst, count 30, seconds 300; \
                                                fwsam: dst, 30 days; \
                                                sid:1000001; rev:1; \
                                                content:"404"; nocase;)

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (   msg:"BLOCKED Potential
FTP Brute-Force attempt"; \
                                                flow:from_server,established; \
                                                content:"530 ";
pcre:"/^530\s+(Login|User|Failed)/smi"; \
                                                classtype:unsuccessful-user; \
                                                threshold: type
threshold, track by_dst, count 15, seconds 300; \
                                                sid:1000002; rev:1; \
                                                fwsam: dst, 30 days;)

On 5/23/07, Atkins, Dwane P <ATKINSD at ...9240...> wrote:
>
>
>
>
> In an attempt to possible thwart attacks prior to arriving a the desktop, we
> are looking for a signature that would alert us as to when someone is trying
> to FTP or SSH into a system on our network.  I am thinking that if someone
> has typed in 5 or 6 passwords and has not connected, then they certainly do
> not have a need to be there.
>
>
>
> Does anyone out there have a signature for this type of incident?
>
>
>
> We would probably be looking at Telnet, SSH, FTP and possible HTTP.
>
>
>  Thanks
>
>
>  Dwane
>
>
>
> Dwane Atkins
>
> 210-567-0158
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list