They seem to both work.
Thank you and have a great day.
Dwane
-----Original Message-----
From: Valter Santos [mailto:vsantola@sectoid.com]
Sent: Thursday, June 28, 2007 12:20 PM
To: Joel Ebrahimi
Cc: Atkins, Dwane P; Snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Rules to block FT
Hi all,
I think what Dwane is looking for is ftp brute force attempts against
his own ftp servers, so this should do it:
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any
Responses from $HOME_NET 21 to external hosts... the full rule from
bleeding threats:
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE SCAN
Potential FTP Brute-Force attempt"; flow:from_server,established;
content:"530 "; pcre:"/^530\s+(Login|User|Failed)/smi";
classtype:unsuccessful-user; threshold: type threshold, track by_dst,
count 5, seconds 120; sid:2002383; rev:4;)
take care
/valter
On 6/28/07, Joel Ebrahimi <jebrahimi@stillsecure.com> wrote:
Hi Dwane,
There is a problem with this rule. The content detection portion of
the
rule looks good, it looks for the 530 response from FTP for an
incorrect
login.
The problem lies within the rule header though (alert tcp $HOME_NET
any ->
$EXTERNAL_NET 21), this content that is being looked for is from the
client
to the server, where it is really the server that sends the 530 error
code
so by switching the direction your monitoring this pattern for you
should be
good to go (alert tcp $EXTERNAL_NET 21 -> $HOME_NET any).
//Joel
StillSecure
Joel Ebrahimi
Senior Software Engineer
http://www.stillsecure.com/
The information transmitted is intended only for the person
to whom it is addressed and may contain confidential material.
Review or other use of this information by persons other than
the intended recipient is prohibited. If you've received
this in error, please contact the sender and delete
from any computer.
-----Original Message-----
From: snort-users-bounces@lists.sourceforge.net on behalf
of Atkins, Dwane P
Sent: Wed 6/27/2007 9:18 AM
To: Snort-users@lists.sourceforge.net
Subject: [Snort-users] Rules to block FT
I have a testbed set up and have already alerted and blocked via
snortsam for SSH. I am now working on FTP.
My rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 ( msg:"BLOCKED
Potential
FTP Brute-Force attempt";flow:from_server,established;
content:"530 ";
pcre:"/^530\s+(Login|User|Failed)/smi";classtype:unsuccessful-user;
threshold: type threshold, track by_dst, count 10, seconds 60;
sid:1000002; rev:1; fwsam: src, 5 minutes;)
Does this look like it will work? I am not that adept about building
rules and am learning. This was from bleeding edge, I think.
Dwane
------------------------------------------------------------------------
-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
