[Bro] SMTP Analyzer
Thorolf
ml at grid.einherjar.de
Wed Oct 10 16:52:38 PDT 2007
Hello all,
since few weeks I'm watching bruteforce attacks on SMTP AUTH.
It does looks like this:
2007-08-28 22:00:33 plain_login authenticator failed for (ameill-2007)
[222.183.149.252]: 535 Incorrect authentication data (set_id=company)
2007-09-30 07:41:11 plain_login authenticator failed for (ameill-2007)
[222.183.160.28]: 535 Incorrect authentication data (set_id=administrator)
2007-09-30 21:26:16 plain_login authenticator failed for (windows)
[64.72.227.37]: 535 Incorrect authentication data (set_id="null")
Affected box is running exim (just as info). I would like to make bro
recognize such attacks, so could someone be so kind and give me some
hints where to strart? I have checked out src/SMTP.cc, policy/smtp.bro
but it is kind weird.
First problem I can't solve "ad hoc" is:
1192050353.634741 #136 xx.xx.33.62/20241 > xx.xx.xx.44/smtp start external
1192050395.930749 #136 error: command mismatch: **(4) [cmd=**,
cmd_arg=IQ==, reply=0, reply_arg=, cont_reply=F, log_reply=F](4),
AUTH_ANSWER (334 UGFzc3dvcmQ6)
1192050397.092847 #136 error: command mismatch: **(5) [cmd=**, cmd_arg=,
reply=0, reply_arg=, cont_reply=F, log_reply=F](5), AUTH_ANSWER (235
Authentication succeeded)
1192050399.164633 #136 finish
session does look like this:
>> my input
<< server response
SMTP>> EHLO test.pl
SMTP<< 250 banner
SMTP>> AUTH LOGIN
SMTP<< 334 VXNlcm5hbWU6
SMTP>> IQ==
SMTP<< 334 UGFzc3dvcmQ6
SMTP>> <simply_enter>
SMTP<< 235 Authentication succeeded
so commands are in good sequence yet bro does tell me that it is wrong.
Where should I start with fixing, I'm familiar with bro language, have
wrote many other policies from scratch for our company, but I'm a little
bit confused where to start with SMTP.
thx and kind regards,
Rafal
More information about the Bro
mailing list