[Oisf-users] rules for failed logins
Anoop Saldanha
anoopsaldanha at gmail.com
Thu Jul 18 09:45:34 UTC 2013
On Wed, Jul 17, 2013 at 4:53 AM, Theodore Elhourani
<theodore.elhourani at gmail.com> wrote:
> Hi,
>
> I am trying to generate alerts for multiple failed ftp logins. The rules I
> am using are
>
>
> (1) alert tcp any any -> any any (msg:"incorrect login attempt -- count
> logins !"; content:"incorrect"; flowint:loginfail, +, 1; sid:101;)
> (2) alert tcp any any -> any any (msg:"Two login attempts fail in a Stream";
> content:"incorrect"; flowint:loginfail, ==, 2; sid:102;)
>
>
> I tried using
>
> (3) alert tcp any any -> any any (msg:"Two or more login attempts fail in a
> Stream"; content:"incorrect"; flowint:loginfail, >, 1; sid:103;)
>
> to alert for more than one failed login attempt.
>
> I haven't been able to generate an alert using both (2) and (3). At least
> three failed login attempts occur in a single stream.
>
> Surricata is generating an alert when an alertall rule like this one is
> used:
> alert tcp any any -> any any (msg:"Two login attempts fail in a Stream";
> content:"incorrect";)
>
> Can someone tell me what is missing in the rules? The client/server capture
> is attached for reference.
>
I think attaching a dsize:>0; to the first rule should fix this issue.
Why the content:"incorrenct" on the second rule?
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-users
mailing list