Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:611 |
| Message | RSERVICES rlogin login failure |
| Summary | This event is generated when a remote login attempt using rlogin fails. |
| Impact | Someone has tried to login using rlogin and failed |
| Detailed Information | This rule generates an event when a login failure message generated by rlogind is seen. rlogin is used on UNIX systems for remote connectivity and remote command execution. Multiple events may indicate that an attacker is attempting a brute force password guessing attack. |
| Affected Systems | |
| Attack Scenarios | An attacker finds a machine with rlogin service running and proceeds to guess the password remotely by connecting multiple times. |
| Ease of Attack | Simple, no exploit software required |
| Corrective Action | Investigate logs on the target host for further details and more signs of suspicious activity Use ssh for remote access instead of rlogin. |
| Additional References | CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0651 Arachnids: http://www.whitehats.com/info/IDS392 |
| Rule References | arachnids: 392 |
--
DID:738825
--
http://www.aanval.com/