'RE: [Snort-sigs] Rule for detecting MS Exchange SMTP AUTH LOGON b'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    RE: [Snort-sigs] Rule for detecting MS Exchange SMTP AUTH LOGON b
From:       "Grejda, Eric" <EGrejda () county ! allegheny ! pa ! us>
Date:       2003-11-18 14:39:41
[Download RAW message or body]

> 1) you should really force this to be inside a flow.
> ...

I'm not going to respond to this just yet, not until I get a better handle
on how Snort handles flows.

> 2) You've added a rather large offset.  On the exchange servers I've

The offset was taken from an article that I'd read about the problem the
rule's supposed to detect.  I knew that I was taking a chance on it but
until I'd determined if the offset changed from release to release I decided
to stick with the information I'd found.  I can forward the URL if you like.

>    seen, this is too large.  Since this is a generic authentication
>    failure message, its not just exchange we would be alerting on.  So
>    lets change the message too.

Makes sense to me.

One of the things that I'd done was make the trigger string a bit more
generic.  Specifically, it should be looking for "535 5.7.3 Authentication
unsuccessful" but after some debate over whether or not the "5.3.5" string
could change from revision to revision, that was dropped, along with "535".

> 3) You don't use $SMTP_SERVERS, which is a default variable useful for
>    quick rule tuning.

True.  More a quirk of my day-to-day network environment than anything else.
Sorry.

> 4) By using track by_dst, you won't pick up on someone using a number
>    of hosts to do the brute force.  Since you only care about the
>    server error message anyway, we should track by source IP.

True.  I've not yet heard of any one person using multiple IP addresses to
brute force SMTP AUTH so I decided to go with tracking by destination IP.  I
guess that was a bad idea.

> alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP 
> authentication brute force attempt"; content:"Authentication 
> unsuccessful"; nocase; classtype:successful-user; 
> threshold:type threshold, track by_src, count 5, seconds 60; 
> sid:1000500; rev:3;)

Looks like I messed that one up..  First tries at anything usually aren't
pretty.

--
Eric Grejda


-------------------------------------------------------
This SF. Net email is sponsored by: GoToMyPC
GoToMyPC is the fast, easy and secure way to access your computer from
any Web browser or wireless device. Click here to Try it Free!
https://www.gotomypc.com/tr/OSDN/AW/Q4_2003/t/g22lp?Target=mm/g22lp.tmpl
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic