Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IDS signature for login Failure

Is there a signature that detects login failures where you can set a threshold for like 3 logins failures and if this is attained, someone will be alerted?

Seems pretty common, right?

Thanks

7 REPLIES
New Member

Re: IDS signature for login Failure

Sorry. I didn't tell it all. I would like to know if someone is trying to SSH, FTP or whatever the situation may be. If we determine that the login threshold is 5, we can set it and be alerted if someone is attempting to login.

Thanks

Gold

Re: IDS signature for login Failure

IMHO, this is better accomplished using a tool that monitors host logs. The sensor can't do much for encrypted protocols like SSH and HTTPS.

However, there are signatures for a couple protocols:

3127-0,SNMP brute force

5606-0,6255-0 SMB auth failure

6250-0, FTP auth failure

6251-0, telnet auth failure

6252-0, rlogin auth failure

6253-0, pop3 login failure

6256-0, HTTP auth failure

Silver

Re: IDS signature for login Failure

You can craft a custom sweep signature with a dest port of . Basically you want to look for a single host attempting more than one connection attempt to more than one target IP in a very short duration (say 3-5 seconds) then choose the action (alert, drop, shun, etc). Hope that helps sir!

New Member

Re: IDS signature for login Failure

Can you explain how I would create such a signature? And will this include logins?

Thank you,

Dwane

Gold

Re: IDS signature for login Failure

IHMO, you can't do this very effectively with a layer 4 signature for many protocols. Either because I can attempt to login many times during a single TCP session, or because multiple TCP sessions are not necessarily good indicators of login attempts. It is very unlikely any signature like this would include "logins" because it's triggering on layer 4 information.

Silver

Re: IDS signature for login Failure

It will not include logins, no, as it is using the 'sweep' engine. Basically you are looking for more than one target connection attempt within a given window. You can easily do this today for SSH. When you craft your signature configure a threshold of say 5 unique targets in 10-30 seconds from a single source. You storage key and summary key should be Axxx, define your target port as 22, you tcp-flag will obviously be SYN. Hope this helps!

New Member

Re: IDS signature for login Failure

I am going to this a shot. THanks for the help and I will get back to let you all know how it went. It maybe a little while.

Dwane

175
Views
28
Helpful
7
Replies
CreatePlease login to create content