Discussion:
[Snort-users] Alert not detected once
(too old to reply)
João Mota
2006-05-11 17:39:42 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE----
Hash: SHA

Hello snorters

A strange thing happened in my snort box. I'm only using snort t
block ssh brute force attacks. I'm using it with snortsam and, becaus
I couldn't patch the current snort version, I'm using the one alread
patched avaible at the snortsam web site (v 2.4.3 Build 26)
Everything was working great (26 sucessfull blocks) until yesterda
when a brute force attack was missed (doesn't show in the snort logs)
The system logs showed over 70 login failures in less than 10 minute
and I have a threshold of 5 SYN packets to the port 22 per minute. Th
rule

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDG
Potential SSH Scan"; flags: S; threshold: type threshold, trac
by_src, count 5, seconds 60; sid: 2001219; rev:12; fwsam
src[either],5min;

Another attack after that one was still detected. Does anyone have
clue why did this happened? Was there a bugfix related to this in mor
recente snort releases

Thank

- -
João Mota <***@3gnt.net
3GNTW - Tecnologias de Informação, Ld

sip: ***@3gnt.ne
jid: ***@jabber.3gnt.or
-----BEGIN PGP SIGNATURE----
Version: GnuPG v1.4.2.2 (GNU/Linux

iD8DBQFEY3beGDPTPBuCkZgRAhbcAJ9RxFAKsRh1OmnN1w9ovjHa0QweHQCfSjm
CvwHekRBoMIPlkwQ0zFb2PU
=Kzx
-----END PGP SIGNATURE----


------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security
Get stuff done quickly with pre-integrated technology to make your job easie
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user
Daniel Cid
2006-05-14 21:34:57 UTC
Permalink
Hi Joao

I think you are trying to use the wrong tool for that
Snort do not have access to the content of the ss
messages, so you don't know what is going on ther
(if the login failed, succeeded, etc)
In addition to that, in just one session (or just on
Syn), a user may attempt 2 or 3 or more password
(depending on the sshd server config)

I really recommend you to use a log analysis too
to solve this kind of problem. You will be able t
see the server response, the user name tried an
exactly the number of attempts. I have been usin
ossec hids (I'm one of the developers) for that and
it is working great.

In addition to that, most of the people don't know
but ossec can analyse snort logs and execute action
based on them in a "safe" manner. For example, yo
can configure it to block an IP if we see 5 snor
alerts within 1 minute for that IP (or if we see a
alert from a specific category, etc). It avoid
false-positives and make the active response muc
more reliable..

*Example of alert from ossec on multiple ssh faile
logins (it will mail and administrator and block th
IP)


OSSEC HIDS Notification
2006 May 11 21:17:0

Received From: /var/log/message
Rule: 1512 fired (level 10) -> "SSHD brute forc
trying to get access to the system.'
Portion of the log(s)

sshd[9370]: Failed password for invalid user admi
from 200.30.175.162 port 58257 ssh
sshd[9370]: Invalid user admin from 200.30.175.16
sshd[9368]: Failed password for invalid user fluff
from 200.30.175.162 port 58212 ssh
sshd[9368]: Invalid user fluffy from 200.30.175.16
sshd[9366]: Failed password for invalid user slashe
from 200.30.175.162 port 58109 ssh
sshd[9366]: Invalid user slasher from 200.30.175.16
sshd[9364]: Failed password for invalid user sifa
from 200.30.175.162 port 58030 ssh


Sorry if I changed the subject too much :

Thanks

-
Daniel B. Ci
Post by João Mota
Hello snorters
A strange thing happened in my snort box. I'm onl
using snort t
block ssh brute force attacks. I'm using it wit
snortsam and, becaus
I couldn't patch the current snort version, I'm usin
the one alread
patched avaible at the snortsam web site (v 2.4.
Build 26)
Everything was working great (26 sucessfull blocks
until yesterda
when a brute force attack was missed (doesn't show i
the snort logs)
The system logs showed over 70 login failures in les
than 10 minute
and I have a threshold of 5 SYN packets to the por
22 >per minute. Th
Post by João Mota
rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg
"BLEEDING-EDG
Potential SSH Scan"; flags: S; threshold: typ
threshold, trac
by_src, count 5, seconds 60; sid: 2001219; rev:12
fwsam
src[either],5min;
Another attack after that one was still detected
Does >anyone have
Post by João Mota
clue why did this happened? Was there a bugfi
related >to this in mor
Post by João Mota
recente snort releases
Thank
- -
3GNTW - Tecnologias de Informação, Ld
_______________________________________________________
Abra sua conta no Yahoo! Mail: 1GB de espaço, alertas de e-mail no celular e anti-spam realmente eficaz.
http://br.info.mail.yahoo.com

------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security
Get stuff done quickly with pre-integrated technology to make your job easie
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user
Daniel Cid
2006-05-13 14:35:11 UTC
Permalink
Hi Joao

I think you are trying to use the wrong tool for that
Snort do not have access to the content of the ss
messages, so you don't know what is going on ther
(if the login failed, succeeded, etc)
In addition to that, in just one session (or just on
Syn), a user may attempt 2 or 3 or more password
(depending on the sshd server config)

I really recommend you to use a log analysis too
to solve this kind of problem. You will be able t
see the server response, the user name tried an
exactly the number of attempts. I have been usin
ossec hids (I'm one of the developers) for that and
it is working great.

In addition to that, most of the people don't know
but ossec can analyse snort logs and execute action
based on them in a "safe" manner. For example, yo
can configure it to block an IP if we see 5 snor
alerts within 1 minute for that IP (or if we see a
alert from a specific category, etc). It avoid
false-positives and make the active response muc
more reliable..

*Example of alert from ossec on multiple ssh faile
logins (it will mail and administrator and block th
IP)


OSSEC HIDS Notification
2006 May 11 21:17:0

Received From: /var/log/message
Rule: 1512 fired (level 10) -> "SSHD brute forc
trying to get access to the system.'
Portion of the log(s)

sshd[9370]: Failed password for invalid user admi
from 200.30.175.162 port 58257 ssh
sshd[9370]: Invalid user admin from 200.30.175.16
sshd[9368]: Failed password for invalid user fluff
from 200.30.175.162 port 58212 ssh
sshd[9368]: Invalid user fluffy from 200.30.175.16
sshd[9366]: Failed password for invalid user slashe
from 200.30.175.162 port 58109 ssh
sshd[9366]: Invalid user slasher from 200.30.175.16
sshd[9364]: Failed password for invalid user sifa
from 200.30.175.162 port 58030 ssh


Sorry if I changed the subject too much :

Thanks

-
Daniel B. Ci
Post by João Mota
Hello snorters
A strange thing happened in my snort box. I'm onl
using snort t
block ssh brute force attacks. I'm using it wit
snortsam and, becaus
I couldn't patch the current snort version, I'm usin
the one alread
patched avaible at the snortsam web site (v 2.4.
Build 26)
Everything was working great (26 sucessfull blocks
until yesterda
when a brute force attack was missed (doesn't show i
the snort logs)
The system logs showed over 70 login failures in les
than 10 minute
and I have a threshold of 5 SYN packets to the por
22 >per minute. Th
Post by João Mota
rule
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg
"BLEEDING-EDG
Potential SSH Scan"; flags: S; threshold: typ
threshold, trac
by_src, count 5, seconds 60; sid: 2001219; rev:12
fwsam
src[either],5min;
Another attack after that one was still detected
Does >anyone have
Post by João Mota
clue why did this happened? Was there a bugfi
related >to this in mor
Post by João Mota
recente snort releases
Thank
- -
3GNTW - Tecnologias de Informação, Ld
_______________________________________________________
Navegue com o Yahoo! Acesso Grátis, assista aos jogos do Brasil na Copa e ganhe prêmios de hora em hora!
http://br.yahoo.com/artilheirodacopa

------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security
Get stuff done quickly with pre-integrated technology to make your job easie
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronim
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=12164
______________________________________________
Snort-users mailing lis
Snort-***@lists.sourceforge.ne
Go to this URL to change user options or unsubscribe
https://lists.sourceforge.net/lists/listinfo/snort-user
Snort-users list archive
http://www.geocrawler.com/redir-sf.php3?list=snort-user

Loading...