FTP BRUTE FORCE DETECTION

this rule uses the FTP content filter to investigate command-line inputs of the FTP traffic. the aim is to detect FTP "admin" login attempts which could assist in identifying possible admin account abuse or compromise events.

BASIC

root@dco:~$ nano ftp-admin.sig
 signature ftp-admin {
   ip-proto == tcp
   ftp /.*USER.*dmin.*/
   event "FTP Admin Login Attempt!"
 }
 
root@dco:~$ zeek -C -r ftp.pcap -s ftp-admin.sig

root@dco:~$ cat signatures.log | zeek-cut src_addr dst_addr event_msg sub_msg | sort -r| uniq
 10.234.125.254	10.121.70.151	10.234.125.254: FTP Admin Login Attempt!	USER administrator
 10.234.125.254	10.121.70.151	10.234.125.254: FTP Admin Login Attempt!	USER admin 
 
 * this rule rule will display multiple logging attempts with account names containing the "admin" phrase
    - note that this is a case-based signature and will catch ALL admin login attempts
       - IOT reduce false positives, global signatures MUST be used to detect the "known threats/anomalies"

MODIFIED

root@dco:~$ nano ft-adminModified.sig
 signature ftp-username {
   ip-proto == tcp
   ftp /.*USER.*/
   event "FTP Username Input Found!"
 }

 signature ftp-brute {
   ip-proto == tcp
   payload /.*530.*Login.*incorrect.*/
   event "FTP Brute-force Attempt!"
 }
 
root@dco:~$ zeek -C -r ftp.pcap -s ft-adminModified.sig
root@dco:~$ cat notice.log | zeek-cut uid id.orig_h id.resp_h msg sub | sort -r| nl | uniq | sed -n '1001,1004p'
  1001	CeMYiaHA6AkfhSnd	10.234.125.254	10.121.70.151	10.234.125.254: FTP Username Input Found!	USER admin
  1002	CeMYiaHA6AkfhSnd	10.234.125.254	10.121.70.151	10.121.70.151: FTP Brute-force Attempt!	530 Login incorrect.
  1003	CeDTDZ2erDNF5w7dyf	10.234.125.254	10.121.70.151	10.234.125.254: FTP Username Input Found!	USER administrator
  1004	CeDTDZ2erDNF5w7dyf	10.234.125.254	10.121.70.151	10.121.70.151: FTP Brute-force Attempt!	530 Login incorrect.

PreviousHTTP CLEARTEXT PASSWORD DETECTIONNextSCRIPTING

Last updated