05-03-2007 07:26 AM - edited 03-10-2019 03:35 AM
Is there a signature that detects login failures where you can set a threshold for like 3 logins failures and if this is attained, someone will be alerted?
Seems pretty common, right?
Thanks
05-03-2007 07:55 AM
Sorry. I didn't tell it all. I would like to know if someone is trying to SSH, FTP or whatever the situation may be. If we determine that the login threshold is 5, we can set it and be alerted if someone is attempting to login.
Thanks
05-03-2007 08:41 AM
IMHO, this is better accomplished using a tool that monitors host logs. The sensor can't do much for encrypted protocols like SSH and HTTPS.
However, there are signatures for a couple protocols:
3127-0,SNMP brute force
5606-0,6255-0 SMB auth failure
6250-0, FTP auth failure
6251-0, telnet auth failure
6252-0, rlogin auth failure
6253-0, pop3 login failure
6256-0, HTTP auth failure
05-05-2007 01:41 PM
You can craft a custom sweep signature with a dest port of
05-09-2007 05:50 AM
Can you explain how I would create such a signature? And will this include logins?
Thank you,
Dwane
05-09-2007 06:08 AM
IHMO, you can't do this very effectively with a layer 4 signature for many protocols. Either because I can attempt to login many times during a single TCP session, or because multiple TCP sessions are not necessarily good indicators of login attempts. It is very unlikely any signature like this would include "logins" because it's triggering on layer 4 information.
05-12-2007 09:09 AM
It will not include logins, no, as it is using the 'sweep' engine. Basically you are looking for more than one target connection attempt within a given window. You can easily do this today for SSH. When you craft your signature configure a threshold of say 5 unique targets in 10-30 seconds from a single source. You storage key and summary key should be Axxx, define your target port as 22, you tcp-flag will obviously be SYN. Hope this helps!
05-14-2007 08:14 AM
I am going to this a shot. THanks for the help and I will get back to let you all know how it went. It maybe a little while.
Dwane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide