Re: Snort rule to monitor for a specific user login

[Richard Bejtlich <taosecurity () gmail com>]

On Thu, Aug 13, 2009 at 11:18 AM, Jesse Lands<cryptograffiti () gmail com> wrote:
> I guess it would have helped if I was a little more specific.  I want to
> monitor for a list of Windows logins used across the network.  Users who
> don't have access or shouldn't anymore.  I have a list of logins that are in
> use, but don't have a central log collection and have to many computers to
> individually check each system.
>
> Thanks again
> Jesse

Hi Jesse,

I suggest capturing traffic that represents the activity you care
about.  Then manually inspect that traffic using Wireshark to see if
you can find indicators associated with those users.  You may find the
Wireshark display filters to be a friendlier way to start identifying
the activity of interest.  If you can build some confidence using
Wireshark, you could then try to build a Snort rule that alerts on the
same traffic.

Sincerely,

Richard

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day 
trial. Simplify your report design, integration and deployment - and focus on 
what you do best, core application coding. Discover what's new with 
Crystal Reports now.  http://p.sf.net/sfu/bobj-july
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users