{"id":272,"date":"2007-05-29T03:20:00","date_gmt":"2007-05-29T03:20:00","guid":{"rendered":"https:\/\/defragged.org\/ossec\/?p=272"},"modified":"2020-07-03T03:22:03","modified_gmt":"2020-07-03T03:22:03","slug":"log-analysis-using-snort","status":"publish","type":"post","link":"https:\/\/defragged.org\/ossec\/2007\/05\/log-analysis-using-snort\/","title":{"rendered":"Log analysis using Snort?"},"content":{"rendered":"\n

In the snort<\/a> mailing list there was a thread about detecting authentication failures (on ssh, apache, ftp, etc) using Snort. I love Snort, but using a NIDS (Network-Based IDS) for this kind of stuff is trying to use the right tool for the wrong reasons (yes, we could even write a syslog parser using it).<\/p>\n\n\n\n

That\u2019s why we need LIDS<\/strong> (Log-based Intrusion detection<\/em>). Check out my reply to this thread<\/a>:<\/p>\n\n\n\n

That\u2019s what I would call using the right tool for the wrong reasons (or something like that).<\/p>

The provided sshd signature does not detect brute force attacks, but multiple connections from the same
source ip (failed or not). The HTTP signature can easily generate false positivies since you are just
looking for the content \u201c404\u2033, and it would not work with SSL\u2026<\/p>

My point is: why not use log analysis to detect failed logins (and brute force attacks)? Both sshd, apache,
apache-ssl, ftp, telnet, etc ,etc log every failed login attempt (and every successful login attempt)?<\/p>

By using log analysis you can reliably detect every failure and you don\u2019t need to worry about encrypted
traffic. Plus, you can do more useful stuff, like detecting multiple failed login attempts followed
by a success (successful brute force attack) and monitoring every successful login to your systems.<\/p>

I wrote a paper while back with some patterns that we can look in authentication logs:<\/p>

http:\/\/www.ossec.net\/en\/loganalysis.html<\/p>

And if you are looking for an open source tool to monitor all your logs (from Apache to sshd, proftpd,
Windows logs, etc, etc), with the ability to execute active responses based on them (blocking ips,
disabling users, etc), you can try ossec*:<\/p>

Home<\/a><\/blockquote>