IDS signature for login Failure

Unanswered Question
May 3rd, 2007
User Badges:

Is there a signature that detects login failures where you can set a threshold for like 3 logins failures and if this is attained, someone will be alerted?


Seems pretty common, right?


Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (6 ratings)
Loading.
dpatkins Thu, 05/03/2007 - 07:55
User Badges:

Sorry. I didn't tell it all. I would like to know if someone is trying to SSH, FTP or whatever the situation may be. If we determine that the login threshold is 5, we can set it and be alerted if someone is attempting to login.


Thanks


mhellman Thu, 05/03/2007 - 08:41
User Badges:
  • Blue, 1500 points or more

IMHO, this is better accomplished using a tool that monitors host logs. The sensor can't do much for encrypted protocols like SSH and HTTPS.


However, there are signatures for a couple protocols:


3127-0,SNMP brute force

5606-0,6255-0 SMB auth failure

6250-0, FTP auth failure

6251-0, telnet auth failure

6252-0, rlogin auth failure

6253-0, pop3 login failure

6256-0, HTTP auth failure


attmidsteam Sat, 05/05/2007 - 13:41
User Badges:
  • Silver, 250 points or more

You can craft a custom sweep signature with a dest port of . Basically you want to look for a single host attempting more than one connection attempt to more than one target IP in a very short duration (say 3-5 seconds) then choose the action (alert, drop, shun, etc). Hope that helps sir!

dpatkins Wed, 05/09/2007 - 05:50
User Badges:

Can you explain how I would create such a signature? And will this include logins?


Thank you,


Dwane

mhellman Wed, 05/09/2007 - 06:08
User Badges:
  • Blue, 1500 points or more

IHMO, you can't do this very effectively with a layer 4 signature for many protocols. Either because I can attempt to login many times during a single TCP session, or because multiple TCP sessions are not necessarily good indicators of login attempts. It is very unlikely any signature like this would include "logins" because it's triggering on layer 4 information.

attmidsteam Sat, 05/12/2007 - 09:09
User Badges:
  • Silver, 250 points or more

It will not include logins, no, as it is using the 'sweep' engine. Basically you are looking for more than one target connection attempt within a given window. You can easily do this today for SSH. When you craft your signature configure a threshold of say 5 unique targets in 10-30 seconds from a single source. You storage key and summary key should be Axxx, define your target port as 22, you tcp-flag will obviously be SYN. Hope this helps!

dpatkins Mon, 05/14/2007 - 08:14
User Badges:

I am going to this a shot. THanks for the help and I will get back to let you all know how it went. It maybe a little while.


Dwane

Actions

This Discussion