Rule: 

--
Sid: 
100000167

-- 
Summary: 
The password-cracking tool Hydra has been detected in SMTP traffic.

--
Impact:
An attacker may be attempting to break into one or more mail servers monitored by Snort via a brute-force password attack. If successful, the attacker may gain unauthorized access to internal networks.

--
Detailed Information:
Hydra is a password-cracking tool released by a group of security experts called THC, "The Hacker's Choice." When connecting to a mail server, it will begin communications by sending either "HELO hydra" or "EHLO hydra", depending upon the commands accepted by the remote server. Since a valid HELO or EHLO command will contain the domain name of the system mail is being sent from, the presence of either of these strings indicates that the Hydra tool is likely being used.

--
Affected Systems:
Any system running a mail server.

--
Attack Scenarios:
Attackers will use the Hydra password-cracking tool.

--
Ease of Attack:
Simple, as the program is publicly available and is well-documented.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Check system logs and Snort alert logs for suspicious activity, particularly unusual logons. Ensure that secure passwords are being used throughout your network.

--
Contributors:
rmkml
Sourcefire Research Team

--
Additional References

--
