Re: [Snort-users] Fwd: Failed FTP login signature

Hi Christopher,

That's what I would call using the right tool for the =

wrong reasons (or something like that).

The provided sshd signature does not detect brute
force attacks, but multiple connections from the same
source ip (failed or not). The HTTP signature can
easily generate false positivies since you are just
looking for the content "404", and it would not work
with SSL...

My point is: why not use log analysis to detect failed
logins (and brute force attacks)? Both sshd, apache, =

apache-ssl, ftp, telnet, etc ,etc log every failed
login attempt (and every successful login attempt)?

By using log analysis you can reliably detect every
failure and you don't need to worry about encrypted
traffic. Plus, you can do more useful stuff, like
detecting multiple failed login attempts followed
by a success (successful brute force attack) and
monitoring every successful login to your systems.

I wrote a paper while back with some patterns that
we can look in authentication logs:

http://www.ossec.net/en/loganalysis.html

And if you are looking for an open source tool to
monitor all your logs (from Apache to sshd, proftpd,
Windows logs, etc, etc), with the ability to execute
active responses based on them (blocking ips,
disabling users, etc), you can try ossec*:

http://www.ossec.net
http://www.ossec.net/wiki/index.php/FAQ

*note that I am the author of this tool.

hope it helps.

--
Daniel B. Cid
dcid ( at ) ossec.net




--- Christopher <christopher@dorkfire.com> escreveu:

> Just in case anyone else finds this useful:
> =

> The SSH, and FTP rules were taken from the bleeding
> snort rules.
> They've been modified for use with snortsam. These
> have been working
> great for us. The thresholds are what make these
> work great. With
> snortsam, we can add DROP rules for everything from
> that IP address
> to our firewall.
> =

> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 ( msg:
> "BLOCKED
> Potential SSH Scan"; \
> =

> priority:1; \
> =

> flags: S; flowbits: \
> =

> set,ssh.brute.attempt; \
> =

> threshold: type
> threshold, track by_src, count 15, seconds 300; \
> =

> classtype: attempted-recon; \
> =

>
reference:url,http://www.whitedust.net/article/27/...e-Force%20Att=
acks/;
> \
> sid:
> 1000000; rev:13;
> fwsam: src, 30 days;)
> =

> alert tcp $DMZ_NET 80 -> $EXTERNAL_NET any ( msg:
> "BLOCKED
> Excessive HTTP 404 - Possible vulnerability scan"; \
> =

> priority:1; classtype:
> attempted-recon; \
> =

> flow:established,from_server; \
> =

> threshold: type
> threshold, track by_dst, count 30, seconds 300; \
> =

> fwsam: dst, 30 days; \
> =

> sid:1000001; rev:1; \
> =

> content:"404"; nocase;)
> =

> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any ( =

> msg:"BLOCKED Potential
> FTP Brute-Force attempt"; \
> =

> flow:from_server,established; \
> =

> content:"530 ";
> pcre:"/^530\s+(Login|User|Failed)/smi"; \
> =

> classtype:unsuccessful-user; \
> =

> threshold: type
> threshold, track by_dst, count 15, seconds 300; \
> =

> sid:1000002; rev:1; \
> =

> fwsam: dst, 30 days;)
> =

> On 5/23/07, Atkins, Dwane P <ATKINSD@uthscsa.edu>
> wrote:
> >
> >
> >
> >
> > In an attempt to possible thwart attacks prior to
> arriving a the desktop, we
> > are looking for a signature that would alert us as
> to when someone is trying
> > to FTP or SSH into a system on our network. I am
> thinking that if someone
> > has typed in 5 or 6 passwords and has not
> connected, then they certainly do
> > not have a need to be there.
> >
> >
> >
> > Does anyone out there have a signature for this
> type of incident?
> >
> >
> >
> > We would probably be looking at Telnet, SSH, FTP
> and possible HTTP.
> >
> >
> > Thanks
> >
> >
> > Dwane
> >
> >
> >
> > Dwane Atkins
> >
> > 210-567-0158
> >
> >
> >
> >
> >
>
-------------------------------------------------------------------------
> > This SF.net email is sponsored by DB2 Express
> > Download DB2 Express C - the FREE version of DB2
> express and take
> > control of your XML. No limits. Just data. Click
> to get it now.
> > http://sourceforge.net/powerbar/db2/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or
> unsubscribe:
> >
>
https://lists.sourceforge.net/lists/...fo/snort-users
> > Snort-users list archive:
> >
>
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
> >
> =

>
-------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2
> express and take
> control of your XML. No limits. Just data. Click to
> get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/...fo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users
> =



__________________________________________________
Fale com seus amigos de gra=E7a com o novo Yahoo! Messenger =

http://br.messenger.yahoo.com/ =


-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...=3Dsnort-users