List Info

Thread: Brute Force FTP sids
Brute Force FTP sids
user name
 2006-07-05 00:31:50 
You are correct Mr Quinton. I moved 2002835 over to SCAN to
replace the
second one.

Appreciate you noticing that!

Matt
 

> -----Original Message-----
> From: Reg Quinton [mailto:reggersist.uwaterloo.ca] 
> Sent: Tuesday, July 04, 2006 9:43 AM
> To: Bleeding Sigs
> Subject: [Bleeding-sigs] Brute Force FTP sids 
> 
> These two sids are almost identical (the one ignores
attacks on user 
> anonymous):
> 
> [9:38am dominic] egrep '2002835|2002383'
/etc/snort/bleeding-all.rules
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any 
> (msg:"BLEEDING-EDGE ATTACK 
> RESPONSE Potential FTP Brute-Force attempt"; 
> flow:from_server,established; 
> content:"530 ";
pcre:"/^530\s+(Login|User)/smi"; 
> classtype:unsuccessful-user; threshold: type threshold,
track 
> by_dst, count 
> 5, seconds 120; sid:2002383; rev:2;)
> alert tcp $HOME_NET 21 -> $EXTERNAL_NET any 
> (msg:"BLEEDING-EDGE SCAN FTP 
> Brute Force Attempts";
flow:from_server,established; content:"530 "; 
> pcre:"/^530\s+(Login|User)/smi";
content:!"530 User 
> anonymous"; nocase; 
> threshold:type threshold, track by_dst, count 5,
seconds 360; 
> classtype:bad-unknown; sid:2002835; rev:3;)
> 
> are both required? Isn't one enough? 
> 
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingsnort.com
> http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
> 
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )