What kind of application is this? If its using active directory logon then there is a built-in signature that you can clone and modify as necessary. Other protocols also have authentication signatures AFAIK. If its not already there you need to use the link provided by htarra to create a signature yourself. If the protocol is clear-text you can just do a regular string signature to look for the auth. failure string/OP code.

Regards

Farrukh

Hi Farrukh,

It is RADIUS authentication using IAS. The client has numerous services/devices that are exposed and use this type of authentication. Someone is throwing dictionary attacks against them all the time. I had hoped to be able to shut this down based on source IP after about three failed attempts.

Do you know if there are any existing signatures that could be modified to accomplish this?

Regards,

Jeff

I could not locate any on the following link:

http://tools.cisco.com/security/center/search.x

Radius is a semi-clear text protocol (except some fields), so you can capture the traffic via a packet sniffer and make the appropriate signature.

Regards

Farrukh

If you can provide us with the pcaps of the failed login attempts , i will be able to look into it and see if a signature is possible.

Thanks ,

Roopesh

IPS Signature Engineering

Cisco Systems Inc