Hi Joao,
I think you are trying to use the wrong tool for that.
Snort do not have access to the content of the ssh
messages, so you don't know what is going on there
(if the login failed, succeeded, etc).
In addition to that, in just one session (or just one
Syn), a user may attempt 2 or 3 or more passwords
(depending on the sshd server config).
I really recommend you to use a log analysis tool
to solve this kind of problem. You will be able to
see the server response, the user name tried and
exactly the number of attempts. I have been using
ossec hids (I'm one of the developers) for that and
it is working great.
In addition to that, most of the people don't know,
but ossec can analyse snort logs and execute actions
based on them in a "safe" manner. For example, you
can configure it to block an IP if we see 5 snort
alerts within 1 minute for that IP (or if we see an
alert from a specific category, etc). It avoids
false-positives and make the active response much
more reliable...
*Example of alert from ossec on multiple ssh failed
logins (it will mail and administrator and block the
IP):
"
OSSEC HIDS Notification.
2006 May 11 21:17:07
Received From: /var/log/messages
Rule: 1512 fired (level 10) -> "SSHD brute force
trying to get access to the system.'"
Portion of the log(s):
sshd[9370]: Failed password for invalid user admin
from 200.30.175.162 port 58257 ssh2
sshd[9370]: Invalid user admin from 200.30.175.162
sshd[9368]: Failed password for invalid user fluffy
from 200.30.175.162 port 58212 ssh2
sshd[9368]: Invalid user fluffy from 200.30.175.162
sshd[9366]: Failed password for invalid user slasher
from 200.30.175.162 port 58109 ssh2
sshd[9366]: Invalid user slasher from 200.30.175.162
sshd[9364]: Failed password for invalid user sifak
from 200.30.175.162 port 58030 ssh2
"
Sorry if I changed the subject too much :)
Thanks,
--
Daniel B. Cid
dcid @ ( at ) ossec.net
Hello snorters,
A strange thing happened in my snort box. I'm only
using snort to
block ssh brute force attacks. I'm using it with
snortsam and, because
I couldn't patch the current snort version, I'm using
the one already
patched avaible at the snortsam web site (v 2.4.3
Build 26).
Everything was working great (26 sucessfull blocks)
until yesterday
when a brute force attack was missed (doesn't show in
the snort logs).
The system logs showed over 70 login failures in less
than 10 minutes
and I have a threshold of 5 SYN packets to the port
22 >per minute. The
rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:
"BLEEDING-EDGE
Potential SSH Scan"; flags: S; threshold: type
threshold, track
by_src, count 5, seconds 60; sid: 2001219; rev:12;
fwsam:
src[either],5min; )
Another attack after that one was still detected.
Does >anyone have a
clue why did this happened? Was there a bugfix
related >to this in more
recente snort releases?
Thanks
- --
João Mota <joao@3gnt.net>
3GNTW - Tecnologias de Informação, Lda
sip: joao@3gnt.net
jid: joao@jabber.3gnt.org
_______________________________________________________
Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e
anti-spam realmente eficaz.
http://br.info.mail.yahoo.com/
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
