Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

FTP brute-force: sig 6250

Having troubles with sig 6250 - don't see any alerts on my test attempts to brute-force the password on Linux server with vsftpd running.

Have some doubts about regex in 6250 - do you really need \r\n at the beginning of server reply before the responce code?

Is anyone using sig 6250? Is it working?

PS: Sig is Enabled, Able to see my auth. failures in IPlog on the sensors - but no alerts. 4.1.3S67.

  • Other Security Subjects
1 REPLY
Bronze

Re: FTP brute-force: sig 6250

How are trying to login into the FTP server? The sensor is counting failed login attempts inside of the same connection (TCP stream). So, if you are attempting to login and disconnect between attempts, then this might explain the lack of alarms. A traffic sample should be able to clear this up if it's still not working. You can send them to mcerha@cisco.com if you'd like us to look at them.

111
Views
0
Helpful
1
Replies
This widget could not be displayed.