Paul Schmehl wrote:
Does anyone have one?
I put together a very simple one to catch *outgoing* evil, but I'm
wondering if anyone has packet captures that would help with content
definitions.
Here's the rule I wrote:
# New rule for catching ssh brute-force attacks
alert tcp $HOME_NET any -> any 22 (msg:"SSH Brute-Force attack";
threshold: type both, track by_src, count 2000, seconds 60;
classtype:trojan-activity; sid:1000281; rev:2;)
It's catching some legitimate sessions, so I'l probably need to raise
the threshold more, but I'm wondering if there's a packet capture that
has something unique the rule could trigger on.
The problem with active and adaptive attacks against long-lived
cryptographic secrets (decryption keys in the pubkey pair, for
example) is that they can be accomplished quietly, over the course
of days or weeks, without detection. The remote timing attack against
OpenSSL run without blinding is one such attack.
In some cases it's a defect in the protocol -- the adaptive chosen
plaintext attack against WEP succeeds because decryption errors and
stats aren't reported, or even accessible, in 802.11 et seq.
I'm curious about what this accomplishes, apart from raising the
ambient noise level.
-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
