Snort mailing list archives
Re: Monitor Authentication
From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Tue, 24 Jan 2017 15:23:38 +0000
"A good rule that looks for root login on ftp would be: alert tcp any any -> any 21 (flow:to_server,established; \ content:"root"; pcre:"/user\s+root/i”;)” Taken from the snort manual here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node36.html Albert Lewis ENGINEER.SOFTWARE ENGINEERING SOURCEfire, Inc. now part of Cisco Email: allewi () cisco com<mailto:allewi () cisco com> From: Chris Sandford <chris.sandford () sms-alderley com<mailto:chris.sandford () sms-alderley com>> Date: Tuesday, January 24, 2017 at 9:48 AM To: 'snort-users' <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>> Subject: [Snort-users] Monitor Authentication Hi, Looking to run Snort to monitor authentication attempts on external facing devices. Does anyone have an example of a rule looking at a single IP of a device for monitoring login attempts. The rule would alert for failed and successful logins if detected. In my example the login method would be to monitor SSH login attempts on an external facing device, although this is blocked by default it would be good to monitor for attempted logon requests. Thanks, SMS Head Office : Starling House, Lancelot Road, Beacon Park, Gorleston-on-Sea, Great Yarmouth, Norfolk, NR31 7BF Tel: +44 (0)1493 ?655515 Fax : +44 (0)1493 655516 Website: www.sms-alderley.com? Email: enquiries () smsgrp com<mailto:enquiries () smsgrp com> Parent Company Head Office: Alderley plc, Arnolds Field Estate, The Downs, Wickwar, Gloucestershire, GL12 8JD Tel: +44(0)1454 294556 Fax: +44 (0)1454 299272 Website : www.alderley.com Sales : sales () alderley com<mailto:sales () alderley com> This email and its contents are confidential and are solely for the use of the intended recipient. If you are not the original recipient you have received it in error and any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. Should you receive this email in error please immediately notify helpdesk () alderley com<mailto:helpdesk () alderley com>. This email has been scanned for viruses, trojans and malware however it is your responsibility to ensure your systems are protected that this email is properly scanned before opening. SMS is a member of the Alderley Group. P It takes 24 trees to produce 1 tonne of office paper!?Think… is it really necessary to print this email?
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Monitor Authentication Chris Sandford (Jan 24)
- Message not available
- Re: Monitor Authentication Chris Sandford (Jan 25)
- Message not available
- <Possible follow-ups>
- Re: Monitor Authentication Al Lewis (allewi) (Jan 24)