[Oisf-devel] Fwd: [Suricata] Question about flowint - incrementing counter

Sebastien Damaye sebastien.damaye at gmail.com
Wed Mar 16 14:32:18 UTC 2011


Hi team,

I'm currently testing Suricata in the shape of a comparative analysis with
Snort. I've been in contact with Anoop Saldanha who advised me to post my
question to the dev team mailing list.
Here is my issue:

I'm not sure how to use flowint to trigger an alert after 3 bad logins on an
FTP account.
Here are my rules:

*alert tcp any any -> any any (msg:"Counting Failed Logins";
content:"incorrect"; flowint: username, notset; flowint:username, =, 1;
noalert; sid:1;)*
*alert tcp any any -> any any (msg:"More than three Failed Logins!";
content:"incorrect"; flowint: username, isset; flowint:username, +, 1;
flowint:username, >, 3; sid:2;)*


I have tested to track the string "incorrect" to ensure it was correct:

*alert tcp any any -> any any (msg:"test_incorrect"; content:"incorrect";
sid:1;)*


And it works fine. Here is the output in /var/log/suricata/fast.log:

*03/16/2011-14:25:23.146103  [**] [1:1:0] test_incorrect [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 ->
192.168.100.37:37082*


You will find attached to this mail a pcap capture realized with tcpdump
(tcpdump -lnx -s 1500 -i eth0 -w badlogins.cap 'port 21') to track the
failed authentication attempts.
I'm also joining my suricata.yaml configuration in case you would need it...

I have the feeling that the counter is not auto-incrementing...
Many thanks in advance for your help.

-- 
Cordialement/Regards,

S├ębastien Damaye
http://www.aldeid.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110316/9776a278/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: badlogins.cap
Type: application/octet-stream
Size: 8350 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110316/9776a278/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 23201 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110316/9776a278/attachment-0001.obj>


More information about the Oisf-devel mailing list