Snort mailing list archives
Re: password sniffingj
From: Michael Boman <michael () ayeka dyndns org>
Date: Fri, 17 Aug 2001 21:08:11 +0800
On Fri, Aug 17, 2001 at 08:51:44AM -0400, Dell, Jeffrey wrote:
The only problem is that port 21 isn't telnet, it is ftp. Telnet sits on port 23. Unless you are checking to see if people have setup a telnet daemon on port 21, I would make sure you fix that... Jeff
Well, you could easily create rules that warns you about clear-text protocols. Telnet (23), ftp (21), pop3 (110), imap(143) is all clear-text protocols (there are more, this is just an example). So, why not start writing generic rules against that? (hmm, I wonder what network traffic .htaccess auth. in apache generates [fireing up tcpdump....]). Best regards Michael Boman
-----Original Message----- From: Sutton, Andrew [mailto:andrew.sutton () cocc com] Sent: Friday, August 17, 2001 8:26 AM To: 'snort-users () lists sourceforge net' Subject: FW: [Snort-users] password sniffingj Here's two that I use for telnet. I suppose you could open it up for any any for other ports. The tricky part is what would flag the user/pass in the content of the packets. alert tcp any any -> $HOME_NET 21 (msg:"Telnet Username in the _CLEAR!_";content: "USER";nocase;) alert tcp any any -> $HOME_NET 21 (msg:"Telnet Password in the _CLEAR!_";content: "PASS";nocase;) Andrew Sutton "Shortcuts make for long delays." - J.R.R. Tolken -----Original Message----- From: Tracy R Reed [mailto:treed () ultraviolet org] Sent: Friday, August 17, 2001 4:58 AM To: snort-users () lists sourceforge net Subject: [Snort-users] password sniffingj Are there snort rules which will detect passwords being sent in cleartext? I am interested in catching any passwords being sent in the clear in a number of protocols (http, pop, imap, etc). It is against corporate policy to send passswords in the clear but we have no way of knowing whether a developer has done something silly like set up non-ssl http authentication on some web server somewhere. I suppose I could run linsniff but it would be nice to have something integrated with snort that supported more protocols. -- Tracy Reed http://www.ultraviolet.org "Every artist is a cannibal, every poet is a thief. They all kill their inspiration, and sing about the grief." - U2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This transmission may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- There is no such thing as a system that is secure out of the box. Tim [Timothy M. Mullen, CIO of AnchorIS.Com] claimed earlier this morning that he had found one at Val-Mart the other day that was secure out of the box, but as it turns out that was a Nintendo. -- Jesper M Johansson, Ph.D. Assistant Professor of Information Systems at Boston University - during a SANS audio broadcast _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- password sniffingj Tracy R Reed (Aug 17)
- Re: password sniffingj Pär Thoren (Aug 17)
- <Possible follow-ups>
- FW: password sniffingj Sutton, Andrew (Aug 17)
- RE: password sniffingj Dell, Jeffrey (Aug 17)
- Re: password sniffingj Michael Boman (Aug 17)
- Re: FW: password sniffingj Neil Dickey (Aug 17)