Snort mailing list archives
Sanity Check for password change - unsuccessful attempt
From: "Khawaja, Kaleem" <Kaleem.Khawaja () bp com>
Date: Wed, 22 May 2013 15:45:17 -0500
All, My first attempt at writing this rule and will appreciate the keen eyes of the experts here. If you can do a quick sanity check for me and let me know if the syntax and the logic will work. Basically trying to alert on unsuccessful attempts for changing passwords in AD. alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522"; flow:to_client,established; content:"|05|"; offset:14; depth:1; content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30; within:1; content:"changepw"; distance:30; within:8; nocase; detection_filter:track by_src, count 4, seconds 120; classtype:attempted-user; sid:10000061; rev:1; ) regards, Kaleem Khawaja
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sanity Check for password change - unsuccessful attempt Khawaja, Kaleem (May 22)
- Re: Sanity Check for password change - unsuccessful attempt Joel Esler (May 22)
- Re: Sanity Check for password change - unsuccessful attempt rmkml (May 22)