[Snort-users] Failed FTP login signature
This is a discussion on [Snort-users] Failed FTP login signature within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. --===============1501110054== Content-class: urn:content-classes:message Content-Type: multipart/alternative; ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
05-23-2007
|
|||
|
|||
[Snort-users] Failed FTP login signature
This is a multi-part message in MIME format.
--===============1501110054== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C79D44.723863C1" This is a multi-part message in MIME format. ------_=_NextPart_001_01C79D44.723863C1 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable In an attempt to possible thwart attacks prior to arriving a the desktop, we are looking for a signature that would alert us as to when someone is trying to FTP or SSH into a system on our network. I am thinking that if someone has typed in 5 or 6 passwords and has not connected, then they certainly do not have a need to be there. =20 Does anyone out there have a signature for this type of incident? =20 We would probably be looking at Telnet, SSH, FTP and possible HTTP. Thanks=20 Dwane =20 Dwane Atkins 210-567-0158 <mailto:atkinsd@uthscsa.edu> =20 =20 ------_=_NextPart_001_01C79D44.723863C1 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable <html xmlns:o=3D"urn:schemas-microsoft-com:office:office" = xmlns:w=3D"urn:schemas-microsoft-com:office:word" = xmlns=3D"http://www.w3.org/TR/REC-html40"> <head> <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; = charset=3Dus-ascii"> <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)"> <style> <!-- /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; margin-bottom:.0001pt; font-size:12.0pt; font-family:"Times New Roman";} a:link, span.MsoHyperlink {color:blue; text-decoration:underline;} a:visited, span.MsoHyperlinkFollowed {color:purple; text-decoration:underline;} span.EmailStyle17 {mso-style-type:personal-compose; font-family:Arial; color:windowtext;} @page Section1 {size:8.5in 11.0in; margin:1.0in 1.25in 1.0in 1.25in;} div.Section1 {page:Section1;} --> </style> </head> <body lang=3DEN-US link=3Dblue vlink=3Dpurple> <div class=3DSection1> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>In an attempt to possible thwart attacks prior to = arriving a the desktop, we are looking for a signature that would alert us as to = when someone is trying to FTP or SSH into a system on our network. I am = thinking that if someone has typed in 5 or 6 passwords and has not connected, = then they certainly do not have a need to be there.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>Does anyone out there have a signature for this type = of incident?<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'>We would probably be looking at Telnet, SSH, FTP and possible HTTP.<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><br> Thanks <o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><br> Dwane<o:p></o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3DArial><span = style=3D'font-size:10.0pt; font-family:Arial'><o:p> </o:p></span></font></p> <p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span = style=3D'font-size: 10.0pt'>Dwane Atkins</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span = style=3D'font-size: 10.0pt'>210-567-0158</span></font><o:p></o:p></p> <p class=3DMsoNormal><font size=3D2 face=3D"Times New Roman"><span = style=3D'font-size: 10.0pt'><a = href=3D"mailto:atkinsd@uthscsa.edu"></a></span></font> <o:p></o:p></= p> <p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span = style=3D'font-size: 12.0pt'><o:p> </o:p></span></font></p> </div> </body> </html> ------_=_NextPart_001_01C79D44.723863C1-- --===============1501110054== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ --===============1501110054== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users --===============1501110054==-- 
|
Linear Mode
