Execution and Attack Detection with MnSec and Suricata

Brute Force

There are several authentication techniques that can be used in brute force attacks:

• SSH: LOGIN (default), PLAIN, CRAM-MD5, DIGEST-MD5, NTLM
• Additionally, TLS encryption via STARTTLS can be applied with the TLS option. Example: smtp://target/TLS:PLAIN; Reference.
• IMAP: CLEAR or APOP (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1, CRAM-SHA256, DIGEST-MD5, NTLM. Also supports TLS like: imap://target/TLS:PLAIN; Reference.
• POP3: CLEAR (default), LOGIN, PLAIN, CRAM-MD5, CRAM-SHA1, CRAM-SHA256, DIGEST-MD5, NTLM. Also supports TLS like: pop3://target/TLS:PLAIN; Reference.

In the documented use of Mininet-sec, the main authentication technique used was LOGIN. The Python Honeypots package, which is being used in the Mininet-sec project, only supports the PLAIN authentication technique and returns a successful execution message, which can be problematic as one of the objectives of using honeypots is to deceive the attacker and keep them running commands to better analyze the attack process. Some solutions to this problem, such as modifying the Honeypots package, may be applied in future versions of Mininet-sec.

IMAP

Command executed in the directory containing the password and login list:

sudo mnsecx o1 hydra -L top-usernames-shortlist.txt -P top-usernames-shortlist.txt imap://192.168.1.103/LOGIN -V -I -F

Rules that generated alerts:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:”ET SCAN Rapid IMAP Connections - Possible Brute Force Attack”; flow:to_server; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; classtype:misc-activity; sid:2002994; rev:7; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg: “Possible IMAP Brute Force attack”; flags:S; flow: to_server; threshold: type limit, track by_src, count 20, seconds 40; tcp.mss:1460; dsize:0; window:42340; classtype: credential-theft; sid: 100000137; rev:1;) (self-authored)

SSH

Command executed in the directory containing the password and login list:

sudo mnsecx o1 hydra -L top-usernames-shortlist.txt -P top-usernames-shortlist.txt ssh://192.168.1.103/LOGIN -V -I -F

Rule that generated alerts:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:”ET SCAN Potential SSH Scan”; flow:to_server; flags:S,12; threshold: type both, track by_src, count 5, seconds 120; reference:url,en.wikipedia.org/wiki/Brute_force_attack; classtype:attempted-recon; sid:2001219; rev:20; metadata:created_at 2010_07_30, updated_at 2019_07_26;)

POP3

Command executed in the directory containing the password and login list:

sudo mnsecx o1 hydra -L top-usernames-shortlist.txt -P top-usernames-shortlist.txt pop3://192.168.1.103/LOGIN -V -I -F

Rule that generated alerts:

alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg: “Possible POP3 Brute Force attack”; flags:S; flow: to_server; threshold: type threshold, track by_src, count 5, seconds 20; classtype: credential-theft; sid: 100000138; rev:1;) (self-authored)

TCP, UDP, and ICMP Flood

--rand-source is an Hping3 attack parameter that promotes the use of multiple IP addresses to perform floods. In this sense, all ICMP, UDP, and TCP flood attacks triggered ET DROP rules. These rules are based on detecting activities related to IP addresses known for their association with flood attacks.

Conclusion

Overall, Suricata performed well in detecting the promoted attacks, and it was also possible to create new rules for cases where detection was not occurring. Custom rules also proved effective.