IMHO, this is better accomplished using a tool that monitors host logs. The sensor can't do much for encrypted protocols like SSH and HTTPS.

However, there are signatures for a couple protocols:

3127-0,SNMP brute force

5606-0,6255-0 SMB auth failure

6250-0, FTP auth failure

6251-0, telnet auth failure

6252-0, rlogin auth failure

6253-0, pop3 login failure

6256-0, HTTP auth failure

You can craft a custom sweep signature with a dest port of . Basically you want to look for a single host attempting more than one connection attempt to more than one target IP in a very short duration (say 3-5 seconds) then choose the action (alert, drop, shun, etc). Hope that helps sir!

Can you explain how I would create such a signature? And will this include logins?

Thank you,

Dwane

IHMO, you can't do this very effectively with a layer 4 signature for many protocols. Either because I can attempt to login many times during a single TCP session, or because multiple TCP sessions are not necessarily good indicators of login attempts. It is very unlikely any signature like this would include "logins" because it's triggering on layer 4 information.

It will not include logins, no, as it is using the 'sweep' engine. Basically you are looking for more than one target connection attempt within a given window. You can easily do this today for SSH. When you craft your signature configure a threshold of say 5 unique targets in 10-30 seconds from a single source. You storage key and summary key should be Axxx, define your target port as 22, you tcp-flag will obviously be SYN. Hope this helps!

I am going to this a shot. THanks for the help and I will get back to let you all know how it went. It maybe a little while.

Dwane