2

I am setting up an Intrusion Detection System (IDS) using Suricata. I want to write a custom rule which will generate an alert whenever a failed login attempts occur to my virtual machine.

Example:

alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt";flow:established,to_server;content:"SSH";nocase;offset:0; depth:4;detection_filter:track by_src, count 2, seconds 2;sid:2005; rev:1;)

I tried various combinations for SSH rule but not able to see any alerts in the Suricata Alerts section with multiple bad SSH attempts. (Bad attempts => using invalid password to generate alerts)

Kindly let me know how to go about this.

Marcel
  • 1,443
  • 2
  • 14
  • 24
Siddesh S
  • 21
  • 1
  • 1
  • 4

2 Answers2

6

Since you are really attempting to look at the encrypted content (which is where the authentication and subsequent failure message will be), Snort/suricata isn't the ideal tool to use in the way that you describe. Instead, log monitoring would be a better approach.

There are other alternatives, however. You might look into Fail2Ban for automatic blocking at the IPTables level.

If you really want to do it with Snort/Suricata, you could use alert thresholds. For example:

 alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"Possible SSH brute forcing!"; flags: S+; threshold: type both, track by_src, count 5, seconds 30; sid:10000001; rev: 1;)

This tells Snort/Suricata to generate an alert on inbound connections (inbound packets with SYN set) when a threshold of 5 connections are seen from a single source in the space of 30 seconds. The threshold "both" indicates that it will not alert until this threshold is passed and that it will only generate one alert to notify you, rather than starting to inundate you with alerts.

Note that I have marked the flags as S+. Don't use just SYN. Remember that ECN has become a real "thing" and that you may find that the two bits that Snort/Suricata still call "Reserved" are set as a result of an ECN negotiation.

David Hoelzer
  • 15,862
  • 4
  • 48
  • 67
  • I have used your rule, to test it I tried a bunch of ssh local_ip and it doesn't work, my sshd has password authentication disabled, so I'm only getting the usual permission denied(publickey) message. I changed external/home to any. I'm getting this error: `rule 10000001: SYN-only to port(s) 22:22 w/o direction specified, disabling for toclient direction ` Any idea why? – Reda Drissi Mar 12 '20 at 16:52
0

Check out https://github.com/sshlog/agent

This daemon watches for SSH logins attempts and commands. They have an example that generates a Slack alert whenever a failed login occurs, but you can customize this to send a WebHook, an e-mail, or whatever else you can think of using a custom Plug-in.

Derrick Johnson
  • 377
  • 5
  • 9