If you haven’t noticed, I have been writing some custom snort rules lately. You might also be interested in the POP3 brute force and HTTP brute force rules.
SMTP Brute Force Block Rule:
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:”Rapid SMTP Auth Failures - Possible Brute Force Attack”; content: “Authentication failed”; nocase; threshold: type both, track by_dst, count 20, seconds 10; classtype: misc-activity; rev:4; sid:1234567895; fwsam: dst, 240 minutes;)
The above rule will block hosts with packets destined with the content of “Authentication failed”.
This may vary based on your mail server software. You can test this by doing a telnet to your mail server:
telnet mail.host.net 25
EHLO
AUTH LOGIN
334 VXN1cm5hbWU6
type some jibberish
334 UGFzc3dvcmQ6
type some more jibberish 500 5.7.0 Authentication Failed
The last line - “500 5.7.0 Authentication Failed” - will tell you what you need to specify for the content rule option based on your server response to the failed login. You may also need to modify other parts of the rules based on your environment, e.x. sid to avoid conflicts with other rules.
NOTE: Snort will not block the offending host unless you have the SnortSam plugin installed.
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:”POP3 Brute Force Attack”; flags: S,12; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; rev:1; sid:1234567890; fwsam: src, 10 minutes;)
HINT: You may have to adjust the threshold by modifying the ‘count 20, seconds 10′ part to meet your needs. Some brute forcing programs can generate up to 80 logins per second, so it is possible to set the threshold much higher if you are getting false positives.
I got hacked not too long ago, so I decided to setup snort patched with snortsam to stop the intruders. This acually works very well.
They got in by brute forcing a log in page for the web mail interface. The intruders also used the compose mail page to send spam after they broke in.
I wrote my own snort rule to detect and block brute forcing and sending spam through the web mail (It will only block if you have snortsam properly setup). This rule blocks anyone that does an HTTP POST more than 20 times within 10 seconds (I believe it is a ratio - average of 2 times per second).
alert tcp any any -> X.X.X.X 80 ( content: “POST”; depth: 4; nocase; msg: “Webmail Brute Force Attempt or Spam Attack”; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; sid:123456789; rev:1; fwsam: src, 10 minutes;)
HINT: Replace X.X.X.X with the IP of your web server. Take out the “fwsam: src, 5 minutes;” if you are not using snortsam (you should be ;p). Replace 123456789 with your own custom ID and make it large so it doesn’t conflict with default snort rules.
Have you wrote any custom snort rules or do you have a suggestion to improve this rule? Show us in the comments.
SNORTĀ® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.
If you use snort and don’t already know about Emerging Threats I am sure it will help you out on your intrusion detecting escapade. If you have any tips for using Emerging Threat’s rules let us know in the comments.
This article is user submitted by rich0rd. You can also submit articles.
You have multiple computers, and your desk is cluttered with keyboards, mice, and monitors? You desperately need more space, and you are tired of moving your hands the long way from one keyboard to the next? Do not worry any more - rescue is here in form of synergy.
Synergy is a nifty little program which allows you to share your mouse and keyboard with other computers on your network. Just move the mouse out of your screen and it magically appears on the screen of the next computer allowing you to type there. Additionally, you can share cut and paste selections, so you can cut something on one screen/PC, move the mouse to the other screen and paste your selection there . Synergy is available for Windows (XP, NT), GNU/Linux, Mac OS X, and Unix. And the best thing is you can even mix different operating systems. Sounds interesting? So let’s see how it works.
Synergy is composed of a server (synergys) and a client part (synergyc) which communicate with each other over a network to exchange keyboard and mouse events. The server is started on the main PC whose keyboard and mouse should be shared, and the client is started on each machine which should use the input devices of the server. In the configuration file, you define which screen is to the left, right, top, or bottom of each monitor. (like in other multi-monitor setups). If the mouse is moved over an edge, the control events are sent over the network to the host which is defined in the configuration.
Get it
There are binary packages available at the synergy sourceforge page, but if you are using a OS with package management system I recommend checking if it is available there first. Install synergy on every machine which should participate in the input sharing.
Glype Proxy is a free web-based proxy script written in PHP. It allows webmasters to quickly and easily set up their own proxy site. There is a huge market for these proxy websites that allow both anonymous browsing and bypassing network filters at school, college or work.
Despite the huge popularity of these sites, the choice of scripts available is limited with most either incomplete or problematic. Glype Proxy is intended to be a fast and reliable alternative to the widely used PHProxy (now discontinued) and CGIProxy.
The process of installation couldn’t be any simpler:
Upload the contents of the ‘upload’ folder inside of the Glype download to a secret directory on your webserver. It is a very good idea to add password protection to this directory (thanks Roland)
.
Navigate to the appropriate URL where you installed Glype. Ex. http://yourdomain.com/mysecretdirectory/index.php. You should see a screen similar to this:
Type the URL in the box and browse away!
Now you know how simple it is to bypass any web proxy with your very own! Note that Glype also has many other configurable options such as themes (the default is horrid), blacklist/whitelist, plugins, and more.
If you have different PHP proxy scripts that you use, let us know in the comments. How do they compare to Glype?
MySQL is an excellent open source database system. Replication is a great way to keep data redundant in case of a server crash. However, replication should not take the place of backups in case of data corruption or mis-entered data - as this data will also be replicated to the slave.
MySQL replication takes place in a master-slave configuration. Be aware that by using the configuration - only changes made on the master are replicated to the slave. Any changes on the slave will not be replicated to the master.
Following the steps below, you can have MySQL replication setup in no time at all.
Nothing is worse than entering repetitive, monotonous commands into a router to accomplish a simple task. By using PHPTelnet we can create a script that will make use of a web form to provision (create pvc or a Private Virtual Circuit) DSL customers in a Cisco router. The script will also write to a log file for security and troubleshooting purposes. This script could be used for many other tasks as well as it is very easy to modify.
NOTE: Depending on your setup, you may need to make modifications to the script.
First, I will focus on the PHP script, and then the web form.
The first part of the script will call in the PHPTelnet.php file. And grab the variables from our web form with the POST method.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
If you haven’t noticed, I have been writing some custom snort rules lately. You might also be interested in the 
