Forum Discussion
Hi Aplovich,
using
[STREAM]
(or a manual [TCP::payload]
or even [SSL::payload]
parsing) as a basic IDS to detect and report login failurs should be possible and I really love this creative idea 🙂
To shed some lights on your questions:
-
Once enabled it will
your request and responses packet wise.STREAM
-
You could use a single expression for both sides. Using two independent expressions would require you to trigger the
andCLIENT_DATA
events to flip the search patterns, since a flip would be required for each single inbound/outbound TCP packet and not just for the initial connection establishment.SERVER_DATA
-
I have a lots of additional thoughts for you...
a.) Active Sync is HTTP and supports
X-Forwarded-For
headers. There is no need for [STREAM]
.
b.) SMTP uses HELO/EHLO commands to exchange freetext at the beginning of the conversation. You could embeded the orig_ip into this packet exchange and use your SMTP logfiles to identify the source IP.
c.) IMAP and POP3 will most likely use a transport layer security. You have to deploy SSL Profiles to be able to MitM the conversation.
d.) Fragmentation of the protocol conversation will bypass your
[STREAM::expression]
. (e.g. TCP-Nagle will fragment (TCP-PUSH) a conversation if a delay of >250ms between independent chars is detected.) To make the detection more robust, you will need to buffer and defragment the user input on each of its CRLF
sequences using the CLIENT_DATA
event (e.g. [TCP::collect]
/[SSL::collect]
with conditional [TCP::release]
/[SSL::release]
).
e.) If d.) is going to be implemented. Then it will be more effective to skip the
[STREAM]
approach and just use [string]
,[getfield]
,[findstr]
and [substr]
commands to parse the usernames.
Hope this helps 🙂
Cheers, Kai