[Oisf-devel] Fwd: [Suricata] Question about flowint - incrementing counter
Sebastien Damaye
sebastien.damaye at gmail.com
Wed Mar 16 14:32:18 UTC 2011
Hi team,
I'm currently testing Suricata in the shape of a comparative analysis with
Snort. I've been in contact with Anoop Saldanha who advised me to post my
question to the dev team mailing list.
Here is my issue:
I'm not sure how to use flowint to trigger an alert after 3 bad logins on an
FTP account.
Here are my rules:
*alert tcp any any -> any any (msg:"Counting Failed Logins";
content:"incorrect"; flowint: username, notset; flowint:username, =, 1;
noalert; sid:1;)*
*alert tcp any any -> any any (msg:"More than three Failed Logins!";
content:"incorrect"; flowint: username, isset; flowint:username, +, 1;
flowint:username, >, 3; sid:2;)*
I have tested to track the string "incorrect" to ensure it was correct:
*alert tcp any any -> any any (msg:"test_incorrect"; content:"incorrect";
sid:1;)*
And it works fine. Here is the output in /var/log/suricata/fast.log:
*03/16/2011-14:25:23.146103 [**] [1:1:0] test_incorrect [**]
[Classification: (null)] [Priority: 3] {TCP} 192.168.100.35:21 ->
192.168.100.37:37082*
You will find attached to this mail a pcap capture realized with tcpdump
(tcpdump -lnx -s 1500 -i eth0 -w badlogins.cap 'port 21') to track the
failed authentication attempts.
I'm also joining my suricata.yaml configuration in case you would need it...
I have the feeling that the counter is not auto-incrementing...
Many thanks in advance for your help.
--
Cordialement/Regards,
Sébastien Damaye
http://www.aldeid.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110316/9776a278/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: badlogins.cap
Type: application/octet-stream
Size: 8350 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110316/9776a278/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: suricata.yaml
Type: application/octet-stream
Size: 23201 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20110316/9776a278/attachment-0001.obj>
More information about the Oisf-devel
mailing list