[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] RE: FTP brute force login signature
From:       James Riden <j.riden () massey ! ac ! nz>
Date:       2003-11-13 20:49:32
[Download RAW message or body]

"adam.w.hogan" <adam.w.hogan@delphi.com> writes:

> But, the rule does not catch programs that use a much smaller list of passwords to \
> try.  Lately I've seen a lot of worms that use a simple list of passwords like user \
> name, user name backwards, admin, secret, blank, etc. instead of running through a \
> giant dictionary.  So I want to through out an idea for comments to shorten the \
> necessary threshold triggers.  I guess the trick is putting it just out of range of \
> the user who can't remember his password.  Here's my suggestion for the rule: 
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute force attack"; \
> content:"530 Login "; nocase; flow:from_server,established;  threshold: type both, \
> track by_dst, count 5, seconds 10; sid:10491;) 
> Any thoughts?

Why not cover the brute-force case with a threshold, and then add
separate rules for default and common passwords?

(Assuming you're running something like john the ripper to make sure
people don't really have guessable passwords.)

cheers,
 Jamie
-- 
James Riden / j.riden@massey.ac.nz / Systems Programmer - Security
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/
Tel: +64 6 3569099 ext. 7402 / mobile: 025 671 6418



-------------------------------------------------------
This SF.Net email sponsored by: ApacheCon 2003,
16-19 November in Las Vegas. Learn firsthand the latest
developments in Apache, PHP, Perl, XML, Java, MySQL,
WebDAV, and more! http://www.apachecon.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


[prev in list] [next in list] [prev in thread] [next in thread]