[Snort-users] Fwd: Failed FTP login signature

Daniel Cid danielcid at ...6873...
Mon May 28 10:51:45 EDT 2007


Hi Christopher,

That's what I would call using the right tool for the 
wrong reasons (or something like that).

The provided sshd signature does not detect brute
force attacks, but multiple connections from the same
source ip (failed or not). The HTTP signature can
easily generate false positivies since you are just
looking for the content "404", and it would not work
with SSL...

My point is: why not use log analysis to detect failed
logins (and brute force attacks)? Both sshd, apache, 
apache-ssl, ftp, telnet, etc ,etc log every failed
login attempt (and every successful login attempt)?

By using log analysis you can reliably detect every
failure and you don't need to worry about encrypted
traffic. Plus, you can do more useful stuff, like
detecting multiple failed login attempts followed
by a success (successful brute force attack) and
monitoring every successful login to your systems.

I wrote a paper while back with some patterns that
we can look in authentication logs:

http://www.ossec.net/en/loganalysis.html

And if you are looking for an open source tool to
monitor all your logs (from Apache to sshd, proftpd,
Windows logs, etc, etc), with the ability to execute
active responses based on them (blocking ips,
disabling users, etc), you can try ossec*:

http://www.ossec.net
http://www.ossec.net/wiki/index.php/FAQ

*note that I am the author of this tool.

hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net




--- Christopher <christopher at ...14135...> escreveu:

> Just in case anyone else finds this useful:
> 
> The SSH, and FTP rules were taken from the bleeding
> snort rules.
> They've been modified for use with snortsam.  These
> have been working
> great for us.  The thresholds are what make these
> work great.  With
> snortsam,  we can add DROP rules for everything from
> that IP address
> to our firewall.
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (   msg:
> "BLOCKED
> Potential SSH Scan"; \
>                                                
> priority:1; \
>                                                
> flags: S; flowbits: \
>                                                
> set,ssh.brute.attempt; \
>                                                
> threshold: type
> threshold, track by_src, count 15, seconds 300; \
>                                                
> classtype: attempted-recon; \
> 
>
reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/;
> \
>                                                 sid:
> 1000000; rev:13;
> fwsam: src, 30 days;)
> 
> alert tcp $DMZ_NET 80 -> $EXTERNAL_NET any (    msg:
> "BLOCKED
> Excessive HTTP 404 - Possible vulnerability scan"; \
>                                                
> priority:1; classtype:
> attempted-recon; \
>                                                
> flow:established,from_server; \
>                                                
> threshold: type
> threshold, track by_dst, count 30, seconds 300; \
>                                                
> fwsam: dst, 30 days; \
>                                                
> sid:1000001; rev:1; \
>                                                
> content:"404"; nocase;)
> 
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (  
> msg:"BLOCKED Potential
> FTP Brute-Force attempt"; \
>                                                
> flow:from_server,established; \
>                                                
> content:"530 ";
> pcre:"/^530\s+(Login|User|Failed)/smi"; \
>                                                
> classtype:unsuccessful-user; \
>                                                
> threshold: type
> threshold, track by_dst, count 15, seconds 300; \
>                                                
> sid:1000002; rev:1; \
>                                                
> fwsam: dst, 30 days;)
> 
> On 5/23/07, Atkins, Dwane P <ATKINSD at ...9240...>
> wrote:
> >
> >
> >
> >
> > In an attempt to possible thwart attacks prior to
> arriving a the desktop, we
> > are looking for a signature that would alert us as
> to when someone is trying
> > to FTP or SSH into a system on our network.  I am
> thinking that if someone
> > has typed in 5 or 6 passwords and has not
> connected, then they certainly do
> > not have a need to be there.
> >
> >
> >
> > Does anyone out there have a signature for this
> type of incident?
> >
> >
> >
> > We would probably be looking at Telnet, SSH, FTP
> and possible HTTP.
> >
> >
> >  Thanks
> >
> >
> >  Dwane
> >
> >
> >
> > Dwane Atkins
> >
> > 210-567-0158
> >
> >
> >
> >
> >
>
-------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2
> express and take
> > control of your XML. No limits. Just data. Click
> to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> 
>
-------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2
> express and take
> control of your XML. No limits. Just data. Click to
> get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 


__________________________________________________
Fale com seus amigos  de graça com o novo Yahoo! Messenger 
http://br.messenger.yahoo.com/ 




More information about the Snort-users mailing list