Hackosis

I got hacked not too long ago, so I decided to setup snort patched with snortsam to stop the intruders. This acually works very well.

They got in by brute forcing a log in page for the web mail interface. The intruders also used the compose mail page to send spam after they broke in.

I wrote my own snort rule to detect and block brute forcing and sending spam through the web mail (It will only block if you have snortsam properly setup). This rule blocks anyone that does an HTTP POST more than 30 times within 60 seconds (I believe it is a ratio – average of 2 times per second).

HINT: Replace X.X.X.X with the IP of your web server. Take out the “fwsam: src, 5 minutes;” if you are not using snortsam (you should be ;p). Replace 123456789 with your own custom ID and make it large so it doesn’t conflict with default snort rules.

Have you wrote any custom snort rules or do you have a suggestion to improve this rule? Show us in the comments.

Emerging Threats hosts the only open snort rule set.

Emerging Threats is funded by National Science Foundation and the Army Research Office.

You can download the rule sets separately or all at once.

Check out the perl script to automatically update your iptables, Honeywall and Smoothwall configurations, and the inline snort config.

Confused? Read the Emerging Threats documentation site.

What is Snort?

SNORT® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

If you use snort and don’t already know about Emerging Threats I am sure it will help you out on your intrusion detecting escapade. If you have any tips for using Emerging Threat’s rules let us know in the comments.