Snort mailing list archives

Re: FW: password sniffingj

From: Neil Dickey <neil () geol niu edu>
Date: Fri, 17 Aug 2001 10:19:59 -0500 (CDT)


"Sutton, Andrew" <andrew.sutton () cocc com> wrote:

Here's two that I use for telnet.  I suppose you could open it up for any
any for other ports.  The tricky part is what would flag the user/pass in
the content of the packets.

alert tcp any any -> $HOME_NET 21 (msg:"Telnet Username in the
_CLEAR!_";content: "USER";nocase;) 
alert tcp any any -> $HOME_NET 21 (msg:"Telnet Password in the
_CLEAR!_";content: "PASS";nocase;)


For my own instruction, when I first learned that telnet was insecure
I set up a snoop session and did some telnetting to see what I could
see.  What I found is that, while the telnet password is in fact sent
in the clear, it is sent one character at a time in successive packets.
This makes it a bit difficult to sniff.  FTP, on the other hand, puts
the whole thing in a single packet, in the clear, and the second rule
above will in fact pick it up.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois
60115

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

password sniffingj Tracy R Reed (Aug 17)
- Re: password sniffingj Pär Thoren (Aug 17)
- <Possible follow-ups>
- FW: password sniffingj Sutton, Andrew (Aug 17)
- RE: password sniffingj Dell, Jeffrey (Aug 17)
  - Re: password sniffingj Michael Boman (Aug 17)
- Re: FW: password sniffingj Neil Dickey (Aug 17)