IDS signature for login Failure

Unanswered Question
May 3rd, 2007

Is there a signature that detects login failures where you can set a threshold for like 3 logins failures and if this is attained, someone will be alerted?

Seems pretty common, right?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (6 ratings)
dpatkins Thu, 05/03/2007 - 07:55

Sorry. I didn't tell it all. I would like to know if someone is trying to SSH, FTP or whatever the situation may be. If we determine that the login threshold is 5, we can set it and be alerted if someone is attempting to login.


mhellman Thu, 05/03/2007 - 08:41

IMHO, this is better accomplished using a tool that monitors host logs. The sensor can't do much for encrypted protocols like SSH and HTTPS.

However, there are signatures for a couple protocols:

3127-0,SNMP brute force

5606-0,6255-0 SMB auth failure

6250-0, FTP auth failure

6251-0, telnet auth failure

6252-0, rlogin auth failure

6253-0, pop3 login failure

6256-0, HTTP auth failure

attmidsteam Sat, 05/05/2007 - 13:41

You can craft a custom sweep signature with a dest port of . Basically you want to look for a single host attempting more than one connection attempt to more than one target IP in a very short duration (say 3-5 seconds) then choose the action (alert, drop, shun, etc). Hope that helps sir!

dpatkins Wed, 05/09/2007 - 05:50

Can you explain how I would create such a signature? And will this include logins?

Thank you,


mhellman Wed, 05/09/2007 - 06:08

IHMO, you can't do this very effectively with a layer 4 signature for many protocols. Either because I can attempt to login many times during a single TCP session, or because multiple TCP sessions are not necessarily good indicators of login attempts. It is very unlikely any signature like this would include "logins" because it's triggering on layer 4 information.

attmidsteam Sat, 05/12/2007 - 09:09

It will not include logins, no, as it is using the 'sweep' engine. Basically you are looking for more than one target connection attempt within a given window. You can easily do this today for SSH. When you craft your signature configure a threshold of say 5 unique targets in 10-30 seconds from a single source. You storage key and summary key should be Axxx, define your target port as 22, you tcp-flag will obviously be SYN. Hope this helps!

dpatkins Mon, 05/14/2007 - 08:14

I am going to this a shot. THanks for the help and I will get back to let you all know how it went. It maybe a little while.



This Discussion