Hello all,
since few weeks I'm watching bruteforce attacks on SMTP AUTH.
It does looks like this:
2007-08-28 22:00:33 plain_login authenticator failed for (ameill-2007) [222.183.149.252]: 535 Incorrect authentication data (set_id=company)
2007-09-30 07:41:11 plain_login authenticator failed for (ameill-2007) [222.183.160.28]: 535 Incorrect authentication data (set_id=administrator)
2007-09-30 21:26:16 plain_login authenticator failed for (windows) [64.72.227.37]: 535 Incorrect authentication data (set_id="null")
Affected box is running exim (just as info). I would like to make bro recognize such attacks, so could someone be so kind and give me some hints where to strart? I have checked out src/SMTP.cc, policy/smtp.bro but it is kind weird.
First problem I can't solve "ad hoc" is:
1192050353.634741 #136 xx.xx.33.62/20241 > xx.xx.xx.44/smtp start external
1192050395.930749 #136 error: command mismatch: **(4) [cmd=**, cmd_arg=IQ==, reply=0, reply_arg=, cont_reply=F, log_reply=F](4), AUTH_ANSWER (334 UGFzc3dvcmQ6)
1192050397.092847 #136 error: command mismatch: **(5) [cmd=**, cmd_arg=, reply=0, reply_arg=, cont_reply=F, log_reply=F](5), AUTH_ANSWER (235 Authentication succeeded)
1192050399.164633 #136 finish
session does look like this:
>> my input
<< server response
EHLO test.pl
SMTP<< 250 banner
AUTH LOGIN
SMTP<< 334 VXNlcm5hbWU6
IQ==
SMTP<< 334 UGFzc3dvcmQ6
<simply_enter>
SMTP<< 235 Authentication succeeded
so commands are in good sequence yet bro does tell me that it is wrong.
Where should I start with fixing, I'm familiar with bro language, have wrote many other policies from scratch for our company, but I'm a little bit confused where to start with SMTP.
thx and kind regards,
Rafal