[Oisf-users] rules for failed logins
Theodore Elhourani
theodore.elhourani at gmail.com
Tue Jul 16 23:23:11 UTC 2013
Hi,
I am trying to generate alerts for multiple failed ftp logins. The rules I
am using are
(1) alert tcp any any -> any any (msg:"incorrect login attempt -- count
logins !"; content:"incorrect"; flowint:loginfail, +, 1; sid:101;)
(2) alert tcp any any -> any any (msg:"Two login attempts fail in a
Stream"; content:"incorrect"; flowint:loginfail, ==, 2; sid:102;)
I tried using
(3) alert tcp any any -> any any (msg:"Two or more login attempts fail in a
Stream"; content:"incorrect"; flowint:loginfail, >, 1; sid:103;)
to alert for more than one failed login attempt.
I haven't been able to generate an alert using both (2) and (3). At least
three failed login attempts occur in a single stream.
Surricata is generating an alert when an alertall rule like this one is
used:
alert tcp any any -> any any (msg:"Two login attempts fail in a Stream";
content:"incorrect";)
Can someone tell me what is missing in the rules? The client/server capture
is attached for reference.
Thank you
Ted
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130716/128e40c2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: login-capture
Type: application/octet-stream
Size: 5201 bytes
Desc: not available
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20130716/128e40c2/attachment.obj>
More information about the Oisf-users
mailing list