Flowbits is part of the standard snort for anything remotely recent.
The basis is you can use a flowbit like a variable, so you can pass
information from one stream or one sig to another.
In this case you could write another sig that only applied when
ssh.brute.attempt was set.
It's not relevant at this point because the sigs we had that did check
that variable we dropped. We thought a while ago we had a lead on the
packet size that we'd see on a successful authentication. So we wanted
to start looking for that packet if there was a brute going on, that
being a big problem if a brute got a successful auth.
But the packet size proved not to be consistent.
But this sig is still very valuable on it's own. And accurate.
Matt
Paul Schmehl wrote:
--On Wednesday, July 06, 2005 13:01:02 -0500 Matt Jonkman
<matt@infotex.com> wrote:
SCAN/SCAN_SSH_Brute_Force:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE
Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt;
threshold: type threshold, track by_src, count 5, seconds 120;
classtype: suspicious-login; sid: 2001219; rev:10; )
We've tweaked this one to be near perfect. We are setting the
ssh.brute.attempt, but the other sigs that used to use it were removed.
So we could take that out, but it'll surely be useful somewhere down the
line.
This is in the SCAN ruleset on bleeding.
Let us know how the threshold in this one affects your net, being larger
than average.
I'll let you know, but I have one question.
What is this: flowbits: set,ssh.brute.attempt;
^^^^^^^^^^^^^^
Is that a special, bleeding-snort conf value? Or part of the std snort
distro?
Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
www.bleedingsnort.com
--------------------------------------------
NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
