Snort mailing list archives
Re: password detection
From: counter.spy () gmx de
Date: Mon, 18 Mar 2002 15:25:51 +0100 (MET)
Howdy,
Hi Mike!
I know this request is going to sound really devious, but I assure you my intentions are completely white-hat. I'd like to see how many people are using plain text passwords on my network. A few protocols that come to mind are telnet and pop3. Obviously, I want to teach them the wonder that is ssh. I was thinking something like: content:"PASS"; Has anyone gone about this before? -Mike Arrison
Not exactly, but it could work. Have you found out that the string "PASS" is being used in the sessions you want to monitor? I am not quite sure, but if "PASS" is really used in Telnet and Pop3, then I think it will work (I am not a protocol geek, yet ;-) . Maybe you would like to tighten the stringsearch by using offset and depth modifiers, because "PASS" could show up in legitimate payload. I suppose you have specified the appropriate portnumbers in your rules? BTW: I found out that the subseven rules in backdoors.rules did not trigger on my tests with subseven gold 2.1 in a testing environment. I have written rules for this particular version *without* specifying a port, because the port can be easily customized. In this backdoor traffic I also found a password request and reply in plain text. The rules are working good for me and they did not produce any false positives on a productive network, yet. But this was my first attempt in writing rules, so please don't laugh too loud ;-) alert tcp $HOME_NET any -> $EXTERNAL_NET any \ (msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ content: "PWD"; offset: 0; depth: 10; nocase; \ classtype: misc-activity;) alert tcp $EXTERNAL_NET any -> $HOME_NET any \ msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ content: "PWD"; offset: 0; depth: 10; nocase; \ classtype: misc-activity;) alert tcp $HOME_NET any -> $EXTERNAL_NET any \ msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ content: "|76 65 72 73 69 6f 6e 3a 20 32 2e 31|"; \ offset: 40; depth: 40; nocase; classtype: misc-activity;) HTH Greetings, D. Liesen PS: I am never sure, if such things shouldn't be better discussed on the sigs list. -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Testing / pcap_loop error a s (Mar 18)
- password detection Mike Arrison (Mar 18)
- Re: password detection counter . spy (Mar 18)
- Re: password detection Mike Shaw (Mar 18)
- Re: password detection Roelof JT Jonkman (Mar 18)
- Re: password detection counter . spy (Mar 18)
- password detection Mike Arrison (Mar 18)