Multiple failed logins

• Test: Multiple failed logins against vsFTPd
• Payload: Manuel process, not automatized. Need to introduce Suricata manual rules, based on flowint
• Suricata rule:

alert tcp any any -> any any (msg:"Counting Failed Logins"; content:"incorrect"; \
 flowint: username, notset; flowint:username, =, 1; noalert; sid:1;)
alert tcp any any -> any any (msg:"More than two Failed Logins!"; content:"incorrect"; \
 flowint: username, isset; flowint:username, +, 1; flowint:username, >, 2; sid:2;)

• Suricata trace: Detected with flowint but needs to be configured
• Suricata score: 1
• Snort rule:

Following rule has been added to local.rules file:

alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Brute Force Attempt"; \
 flow:from_server,established; content:"530 "; nocase; offset:0; depth:4; \
 detection_filter:track by_src, count 2, seconds 120; sid:1000001; rev:1;)

• Snort trace:

[**] [1:491:11] FTP Bad login [**]
[Classification: Potentially Bad Traffic] [Priority: 2] 
04/20-12:39:13.803985 192.168.100.48:21 -> 192.168.100.45:44886
TCP TTL:64 TOS:0x0 ID:56425 IpLen:20 DgmLen:74 DF
***AP*** Seq: 0x23CB9957  Ack: 0x5A9EEBCC  Win: 0x16A  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1854022 6705362 

[**] [1:13360:1] POLICY failed FTP login attempt [**]
[Classification: Misc activity] [Priority: 3] 
04/20-12:39:13.803985 192.168.100.48:21 -> 192.168.100.45:44886
TCP TTL:64 TOS:0x0 ID:56425 IpLen:20 DgmLen:74 DF
***AP*** Seq: 0x23CB9957  Ack: 0x5A9EEBCC  Win: 0x16A  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1854022 6705362 
[Xref => http://www.ietf.org/rfc/rfc0959.txt]

[**] [1:1000001:1] FTP Brute Force Attempt [**]
[Priority: 0] 
04/20-12:39:24.827633 192.168.100.48:21 -> 192.168.100.45:44886
TCP TTL:64 TOS:0x0 ID:56430 IpLen:20 DgmLen:74 DF
***AP*** Seq: 0x23CB99B5  Ack: 0x5A9EEBE6  Win: 0x16A  TcpLen: 32
TCP Options (3) => NOP NOP TS: 1856778 6707941 

• Snort score: 1

Comments

Talk:Suricata-vs-snort/Test-cases/Multiple-failed-logins