[Oisf-devel] [Suricata] Question about flowint - incrementing counter

Sebastien Damaye sebastien.damaye at gmail.com
Wed Mar 16 16:40:34 UTC 2011 

Hi Pablo,

Before anything, thank you very much for this very clear and prompt answer.
You are absolutely right. I've updated my rules to trigger an alert after 2
bad logins and have done the tests again within the same session:

*$ ftp 192.168.100.35*
*Connected to 192.168.100.35.*
*220 (vsFTPd 2.0.7)*
*Name (192.168.100.35:sdamaye): root*
*331 Please specify the password.*
*Password:*
*530 Login incorrect.*
*Login failed.*
*ftp> user root*
*331 Please specify the password.*
*Password: *
*530 Login incorrect.*
*Login failed.*


And.... It has triggered the alert:

*03/16/2011-17:35:31.560382  [**] [1:2:0] More than two Failed Logins! [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 ->
192.168.100.37:3656*


Thanks very much for your help.
BTW, the online documentation seems outdated (e.g. the syntax of flowint as
specified on the wiki doesn't work and doesn't either correspond to the one
used in the working rules).


2011/3/16 Pablo <pablo.rincon.crespo at gmail.com>

> Hi Sebastien. The rules look fine. The problem is that looking at the
> pcap, there are different flows per login, as follows:
> 220 (vsFTPd 2.0.7)
> USER root
> 331 Please specify the password.
> PASS a
> 530 Login incorrect.
> SYST
> 530 Please login with USER and PASS.
> QUIT
> 221 Goodbye.
>
> After the QUIT command, the connection is closed, so the flow instance
> is destroyed after that, and the flowint vars will be released too.
> Then a new connection is set for another login retry, and Suricata
> create a new flow instance, but flowint vars live in the context of a
> flow. To accomplish this, we need Global Vars (another feature in the
> roadmap of the project), that's the ability to create variables that
> exists in the context of 2 ip addresses, regardless of ports and IP
> sessions id's/streams, flow instances...
>
> That will make suricata able to use a simple logical correlation,
> something like "an exploit has been detected on the fly" on one flow,
> and after that, the flow is destroyed. Ok, but we have set a
> var/int/bit between those hosts indicating that intention, so we don't
> mind if the flow was destroyed because we will keep that
> information/vars on the context of that pair of hosts. So after that,
> if we get "a cmd.exe banner has been matched", between those hosts,
> then we will be able to cross it with the previous attack, alerting
> that the host might be compromised on a more reliable way, tracking
> the intent and response even on different connections.
>
>
> 2011/3/16 Sebastien Damaye <sebastien.damaye at gmail.com>:
> > Hi team,
> > I'm currently testing Suricata in the shape of a comparative analysis
> with
> > Snort. I've been in contact with Anoop Saldanha who advised me to post my
> > question to the dev team mailing list.
> > Here is my issue:
> > I'm not sure how to use flowint to trigger an alert after 3 bad logins on
> an
> > FTP account.
> > Here are my rules:
> >
> > alert tcp any any -> any any (msg:"Counting Failed Logins";
> > content:"incorrect"; flowint: username, notset; flowint:username, =, 1;
> > noalert; sid:1;)
> > alert tcp any any -> any any (msg:"More than three Failed Logins!";
> > content:"incorrect"; flowint: username, isset; flowint:username, +, 1;
> > flowint:username, >, 3; sid:2;)
> >
> > I have tested to track the string "incorrect" to ensure it was correct:
> >
> > alert tcp any any -> any any (msg:"test_incorrect"; content:"incorrect";
> > sid:1;)
> >
> > And it works fine. Here is the output in /var/log/suricata/fast.log:
> >
> > 03/16/2011-14:25:23.146103  [**] [1:1:0] test_incorrect [**]
> > [Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 ->
> > 192.168.100.37:37082
> >
> > You will find attached to this mail a pcap capture realized with tcpdump
> > (tcpdump -lnx -s 1500 -i eth0 -w badlogins.cap 'port 21') to track the
> > failed authentication attempts.
> > I'm also joining my suricata.yaml configuration in case you would need
> it...
> > I have the feeling that the counter is not auto-incrementing...
> > Many thanks in advance for your help.
> > --
> > Cordialement/Regards,
> > Sébastien Damaye
> > http://www.aldeid.com
> >
> >
> > _______________________________________________
> > Oisf-devel mailing list
> > Oisf-devel at openinfosecfoundation.org
> > http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> >
> >
>
>
>
> --
>
> Best regards,
>
> --
> Pablo Rincón Crespo
> Security researcher and developer
> Open Information Security Foundation -
> http://www.openinfosecfoundation.org
> Emerging Threats Pro, INC - http://www.emergingthreatspro.com
> ------------------------------------
>



-- 
Cordialement/Regards,

Sébastien Damaye
http://www.aldeid.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110316/0057405d/attachment-0002.html>

More information about the Oisf-devel mailing list