[Oisf-users] rules for failed logins

[Theodore Elhourani]

Thank you, this helped.


On Thu, Jul 18, 2013 at 2:45 AM, Anoop Saldanha <anoopsaldanha at gmail.com>wrote:

> On Wed, Jul 17, 2013 at 4:53 AM, Theodore Elhourani
> <theodore.elhourani at gmail.com> wrote:
> > Hi,
> >
> > I am trying to generate alerts for multiple failed ftp logins. The rules
> I
> > am using are
> >
> >
> > (1) alert tcp any any -> any any (msg:"incorrect login attempt -- count
> > logins !"; content:"incorrect"; flowint:loginfail, +, 1; sid:101;)
> > (2) alert tcp any any -> any any (msg:"Two login attempts fail in a
> Stream";
> > content:"incorrect"; flowint:loginfail, ==, 2; sid:102;)
> >
> >
> > I tried using
> >
> > (3) alert tcp any any -> any any (msg:"Two or more login attempts fail
> in a
> > Stream"; content:"incorrect"; flowint:loginfail, >, 1; sid:103;)
> >
> > to alert for more than one failed login attempt.
> >
> > I haven't been able to generate an alert using both (2) and (3). At least
> > three failed login attempts occur in a single stream.
> >
> > Surricata is generating an alert when an alertall rule like this one is
> > used:
> > alert tcp any any -> any any (msg:"Two login attempts fail in a Stream";
> > content:"incorrect";)
> >
> > Can someone tell me what is missing in the rules? The client/server
> capture
> > is attached for reference.
> >
>
> I think attaching a dsize:>0; to the first rule should fix this issue.
>
> Why the content:"incorrenct" on the second rule?
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130801/4a91dbda/attachment.html>