• 17
  • Sep

If you haven’t noticed, I have been writing some custom snort rules lately. You might also be interested in the POP3 brute force and HTTP brute force rules.
 
 
 
 

SMTP Brute Force Block Rule:

alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:”Rapid SMTP Auth Failures - Possible Brute Force Attack”; content: “Authentication failed”; nocase; threshold: type both, track by_dst, count 20, seconds 10; classtype: misc-activity; rev:4; sid:1234567895; fwsam: dst, 240 minutes;)

The above rule will block hosts with packets destined with the content of “Authentication failed”.

This may vary based on your mail server software. You can test this by doing a telnet to your mail server:

telnet mail.host.net 25
EHLO
AUTH LOGIN
334 VXN1cm5hbWU6
type some jibberish
334 UGFzc3dvcmQ6
type some more jibberish
500 5.7.0 Authentication Failed

The last line - “500 5.7.0 Authentication Failed” - will tell you what you need to specify for the content rule option based on your server response to the failed login. You may also need to modify other parts of the rules based on your environment, e.x. sid to avoid conflicts with other rules.

NOTE: Snort will not block the offending host unless you have the SnortSam plugin installed.

This rule has been tried and tested by THC Hydra.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 03
  • Sep

In response to Snort: Simple Rule To Block HTTP Brute Force, here is a similar rule, only for POP3 brute forcing:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:”POP3 Brute Force Attack”; flags: S,12; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; rev:1; sid:1234567890; fwsam: src, 10 minutes;)

HINT: You may have to adjust the threshold by modifying the ‘count 20, seconds 10′ part to meet your needs. Some brute forcing programs can generate up to 80 logins per second, so it is possible to set the threshold much higher if you are getting false positives.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]
  • 29
  • Aug

I got hacked not too long ago, so I decided to setup snort patched with snortsam to stop the intruders. This acually works very well.

They got in by brute forcing a log in page for the web mail interface. The intruders also used the compose mail page to send spam after they broke in.

I wrote my own snort rule to detect and block brute forcing and sending spam through the web mail (It will only block if you have snortsam properly setup). This rule blocks anyone that does an HTTP POST more than 20 times within 10 seconds (I believe it is a ratio - average of 2 times per second).

alert tcp any any -> X.X.X.X 80 ( content: “POST”; depth: 4; nocase; msg: “Webmail Brute Force Attempt or Spam Attack”; threshold: type both, track by_src, count 20, seconds 10; classtype: misc-activity; sid:123456789; rev:1; fwsam: src, 10 minutes;)

HINT: Replace X.X.X.X with the IP of your web server. Take out the “fwsam: src, 5 minutes;” if you are not using snortsam (you should be ;p). Replace 123456789 with your own custom ID and make it large so it doesn’t conflict with default snort rules.

Have you wrote any custom snort rules or do you have a suggestion to improve this rule? Show us in the comments.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]