I'm trying to create a brute force rule that will automatically block ms sql attacks. I have the content of the packet but cant seem to figure out how to create a hex based rule... it does say "Login Failed" ....

4C 00 6F 00 67 00 69 00 6E 00 20 00 66 00 61 00 69 00 6C 00 65 00 64

how can i take this hex above and create a content filter to match it.
I have already tried to use nth for every 2 packets but it dont seem to work.
any help would be appreciated.
thanks

/ip firewall mangle> print
0 chain=prerouting action=log content=\4C\00\6F\00\67\00\69\00\6E\00\20\00\66\00\61\00\69\00\6C\00\65\00\64 log-prefix="failed"


screenshot of the packet created.

bump.

try with L7
/ip firewall layer7-protocol add comment="" name=LoginFailed regexp="\\x4C\\x00\\x6F\\x00\\x67\\x00\\x69\\x00\\x6E\\x00\\x20\\x00\\x66\\x00\\x61\\x00\\x69\\x00\\x6C\\x00\\x65\\x00\\x64"

when trying to add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C\\x00\\x6F\\x00\\x67\\x00\\x69\\x00\\x6E\\x00\\x20\\x00\\x66\\x00\\x61\\x00\\x69\\x00\\x6C\\x00\\x65\\x00\\x64"
i end up with: "failure: null (\x00) in regexp. A null terminates the regexp string!"

don't know

try differrent ways:
add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C\\0\\x6F\\0\\x67\\0\\x69\\0\\x6E\\0\\x20\\0\\x66\\0\\x61\\0\\x69\\0\\x6C\\0\\x65\\0\\x64"

or

add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C\\u0000\\x6F\\u0000\\x67\\u0000\\x69\\u0000\\x6E\\u0000\\x20\\u0000\\x66\\u0000\\x61\\u0000\\x69\\u0000\\x6C\\u0000\\x65\\u0000\\x64"

or

add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C[^.]\\x6F[^.]\\x67[^.]\\x69[^.]\\x6E[^.]\\x20[^.]\\x66[^.]\\x61[^.]\\x69[^.]\\x6C[^.]\\x65[^.]\\x64"

or

add /ip firewall layer7-protocol add comment="track sql login failures" name=sqlloginfailed regexp="\\x4C.\\x6F.\\x67.\\x69.\\x6E.\\x20.\\x66.\\x61.\\x69.\\x6C.\\x65.\\x64"

thanks was able to get the rule in now need to figure out why its seems like its not matching .

I haven't been able to get the filter rule to log any results as of yet. with the filter rules above.
Does anyone else have any ideas?

Mmmmmm........

Why complicate simpler things?
the dot "." on regexp stay for "any" character.


The problem are another: this errors appear on first 10 packet or first 2KBytes of the connection?

MUST appear on that limit for each connection, or you do not see any matching.

ah that might do it ... packet number 13... and also 4.7k

Nice idea, but not working as expected.

I suppose when link fail sql close connection?

Try to count connection bytes.

If is on (for hypotesys) 14/16 packet only on 4.5/5.1KB only, is probvably one brute force attack?

Or better: you do not know what are the IP of calling clients?
Simply permit that IP and tarpit all other connections...

yes that is correct. as soon as it gets an invalid log in the connection to sql closes.
as to the 14/16 packet only not sure what you mean.
Unfortunately the "allowed" ip's are not known. multiple wan address from multiple companies.

Did you solve the problem i have the same and dont know how to fix

issue has not yet been resolved.

I haven't had much of a chance to go back to this.