Hackosis is an Open Blog. You Can Participate.

  • 29
  • Aug

I got hacked not too long ago, so I decided to setup snort patched with snortsam to stop the intruders. This acually works very well.

They got in by brute forcing a log in page for the web mail interface. The intruders also used the compose mail page to send spam after they broke in.

I wrote my own snort rule to detect and block brute forcing and sending spam through the web mail (It will only block if you have snortsam properly setup). This rule blocks anyone that does an HTTP POST more than 30 times within 60 seconds (I believe it is a ratio – average of 2 times per second).

alert tcp any any -> X.X.X.X 80 ( content: "POST"; nocase; msg: "Webmail Brute Force Attempt or Spam Attack"; threshold: type both, track by_src, count 30, seconds 60; sid:123456789; rev:1; fwsam: src, 5 minutes;)

HINT: Replace X.X.X.X with the IP of your web server. Take out the “fwsam: src, 5 minutes;” if you are not using snortsam (you should be ;p). Replace 123456789 with your own custom ID and make it large so it doesn’t conflict with default snort rules.

Have you wrote any custom snort rules or do you have a suggestion to improve this rule? Show us in the comments.

[Slashdot] [Digg] [Reddit] [del.icio.us] [Facebook] [Technorati] [Google] [StumbleUpon]

Related Posts


Tags: , , , , , ,

Like this post? Subscibe to the RSS feed.


2 Comments

  1. arty Says:
    August 30th, 2008 at 6:03 am

    I don’t use snort anymore, but to block DDoS and brute force attacks Apache’s mod_evasive is pretty useful.

  2. Shane Says:
    August 30th, 2008 at 8:20 am

    Didn’t know about that, thanks for the tip arty.

Leave a Comment