Re: Sanity Check for password change - unsuccessful attempt

[rmkml <rmkml () yahoo fr>]

Hi Khawaja,

thx you for sharing rule,

I have "changepw" but not on 88/tcp to_client side, found on 464/tcp 
to_server side...

Anyone fire this rule please?

Regards
@Rmkml


On Wed, 22 May 2013, Khawaja, Kaleem wrote:

> All,
>
> My first attempt at writing this rule and will appreciate the keen eyes of the experts here. If you can do a quick 
> sanity check for me and let me know if the syntax and the logic will work. 
>
> Basically trying to alert on  unsuccessful attempts for changing passwords in AD. 
>
> alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522"; flow:to_client,established; content:"|05|"; offset:14; depth:1; 
> content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30;
> within:1; content:"changepw"; distance:30; within:8; nocase; detection_filter:track by_src, count 4, seconds 120; 
> classtype:attempted-user; sid:10000061; rev:1; )
>
> regards,
>
> Kaleem Khawaja
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!