FTP BRUTE FORCE DETECTION
this rule uses the FTP content filter to investigate command-line inputs of the FTP traffic. the aim is to detect FTP "admin" login attempts which could assist in identifying possible admin account abuse or compromise events.
BASIC
root@dco:~$ nano ftp-admin.sig
signature ftp-admin {
ip-proto == tcp
ftp /.*USER.*dmin.*/
event "FTP Admin Login Attempt!"
}
root@dco:~$ zeek -C -r ftp.pcap -s ftp-admin.sig
root@dco:~$ cat signatures.log | zeek-cut src_addr dst_addr event_msg sub_msg | sort -r| uniq
10.234.125.254 10.121.70.151 10.234.125.254: FTP Admin Login Attempt! USER administrator
10.234.125.254 10.121.70.151 10.234.125.254: FTP Admin Login Attempt! USER admin
* this rule rule will display multiple logging attempts with account names containing the "admin" phrase
- note that this is a case-based signature and will catch ALL admin login attempts
- IOT reduce false positives, global signatures MUST be used to detect the "known threats/anomalies"
MODIFIED
root@dco:~$ nano ft-adminModified.sig
signature ftp-username {
ip-proto == tcp
ftp /.*USER.*/
event "FTP Username Input Found!"
}
signature ftp-brute {
ip-proto == tcp
payload /.*530.*Login.*incorrect.*/
event "FTP Brute-force Attempt!"
}
root@dco:~$ zeek -C -r ftp.pcap -s ft-adminModified.sig
root@dco:~$ cat notice.log | zeek-cut uid id.orig_h id.resp_h msg sub | sort -r| nl | uniq | sed -n '1001,1004p'
1001 CeMYiaHA6AkfhSnd 10.234.125.254 10.121.70.151 10.234.125.254: FTP Username Input Found! USER admin
1002 CeMYiaHA6AkfhSnd 10.234.125.254 10.121.70.151 10.121.70.151: FTP Brute-force Attempt! 530 Login incorrect.
1003 CeDTDZ2erDNF5w7dyf 10.234.125.254 10.121.70.151 10.234.125.254: FTP Username Input Found! USER administrator
1004 CeDTDZ2erDNF5w7dyf 10.234.125.254 10.121.70.151 10.121.70.151: FTP Brute-force Attempt! 530 Login incorrect.Last updated