Re: custom signature to detect telnet authentication failure

thanhlv · ‎04-11-2002

I created a custom signature to detect telnet authentication failure. It belongs to STRING.TCP engine.

Here are the signature's parameters:

SID 20005, Engine: STRING.TCP

1 - AlarmThrottle = FireAll

2 - ChokeThreshold =

3 - Direction = ToService

4 - FlipAddr = True

5 - MaxInspectLength =

6 - MinHits = 1

7 - MinMatchLength =

8 - MultipleHits =

9 * RegexString = *

10 - ResetAfterIdle = 15

11 - ServicePorts = 23

12 - SigComment =

13 - SigName = telnet failure on port 23

14 - SigStringInfo =

15 - StripTelnetOptions =

16 - ThrottleInterval = 15

17 - WantFrag =

Address mapping

20005 * * 10.70.75.140

Then I tried to telnet to 10.70.75.140 with two login failures. But there was no alarms in the logfile of sensor.

Is there something wrong?

jakasper · ‎04-11-2002

You can use the ATOMIC.TCP engine to write three different kinds of telnet

login failures. The STRING.TCP sigs will count MinHits only on one TCP stream (connection) and will not catch repeated login failures across different

connections. With ATOMIC.TCP, you can set the StorageKey parameter to one of DUAL, DST, or SRC. These will give you alarms when there are multiple failures: between two hosts (DUAL), to a server (SRC), or from a client (DST).

I have tested the following DUAL signature tonight:

AlarmInterval 60

AlarmThrottle FireAll

ChokeThreshold ANY

Mask ACK

MinHits 3

SigName 3 telnet login failures between 2 hosts in less than 60 seconds.

SinglePacketRegex [Ll]ogin incorrect

SrcPort 23

StorageKey DUAL

TcpFlags ACK

Note that when using SigWizMenu, you can either put the value ANY for ChokeThreshold, or choose to 'delete' its value.

The AlarmInterval value is the number of seconds it will count for login failures.

If the count reaches MinHits, the alarm will be fired. Change this value if you want to count for a longer or shorter time for failures.

You may want to make 3 separate signatures, one DUAL as above, and

the others StorageKey SRC and StorageKey DST if you want to experiment with the different counting techniques.

Your STRING.TCP signature was close, but needed a RegexString of

[Ll]ogin incorrect and Direction FromService (because the match happens on the server's failure response.

You also may want to check the "Login incorrect" response on the servers you

are protecting and make sure it doesn't use a different response string.

Let us know how it goes,

-JK

thanhlv · ‎04-12-2002

Thank you very much for your clear explanations the difference between STRING.TCP engine and ATOMIC.TCP engine. It helps me a lot.

But I don'nt know if there is any difference between the version of the Sensor that I and you are using.

When I created a new custom signature belonging to ATOMIC.TCP engine, there were no parameters: StorageKey, RegexString and SourcePort. I am using Sensor 4210 ver 3.0(1)S4 and Unix Director 2.2.3.

Using the nrConfigure, there is a place for me to add a new RegexString. I added a new RegexString with some parameters as Mr Jakasper directed:

-String: [Ll]ogin incorrect

-Occurrences:3

-Port: 23

-Direction: To &From

Then when I tried to telnet to a machine with 3 times failure, I found an alarm in the log file in Sensor indicating this event.

I wonder why a signature in the ATOMIC.TCP does not has the parameter specifying ServicePorts?

Besides that there is no place for me to tell a particular RegexString just fires on a specific machine, not all in the protected network.

jakasper · ‎04-12-2002

Your sensor version is the first 3.0 release. You will need to update to

get the latest signatures and get the enhancements to ATOMIC.TCP

which include the SinglePacketRegex parameter.

Typically, you will want to watch for the notification about the Signature Update and Service Pack releases because the new signature sets will give you better intrusion coverage and the service packs fix bugs and give you new features.

The "string match" signature for this is good, but it does not count the failed

logins across different connections.

Good luck,

-JK