FW: password sniffingj

["Sutton, Andrew" <andrew.sutton () cocc com>]

Here's two that I use for telnet.  I suppose you could open it up for any
any for other ports.  The tricky part is what would flag the user/pass in
the content of the packets.

alert tcp any any -> $HOME_NET 21 (msg:"Telnet Username in the
_CLEAR!_";content: "USER";nocase;) 
alert tcp any any -> $HOME_NET 21 (msg:"Telnet Password in the
_CLEAR!_";content: "PASS";nocase;) 

Andrew Sutton
"Shortcuts make for long delays." - J.R.R. Tolken


-----Original Message-----
From: Tracy R Reed [mailto:treed () ultraviolet org]
Sent: Friday, August 17, 2001 4:58 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] password sniffingj


Are there snort rules which will detect passwords being sent in cleartext?
I am interested in catching any passwords being sent in the clear in a
number of protocols (http, pop, imap, etc). It is against corporate policy
to send passswords in the clear but we have no way of knowing whether a
developer has done something silly like set up non-ssl http authentication
on some web server somewhere. I suppose I could run linsniff but it would
be nice to have something integrated with snort that supported more
protocols.

-- 
Tracy Reed      http://www.ultraviolet.org
"Every artist is a cannibal, every poet is a thief.
 They all kill their inspiration, and sing about the grief." - U2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users