Snort mailing list archives
FW: password sniffingj
From: "Sutton, Andrew" <andrew.sutton () cocc com>
Date: Fri, 17 Aug 2001 08:25:52 -0400
Here's two that I use for telnet. I suppose you could open it up for any any for other ports. The tricky part is what would flag the user/pass in the content of the packets. alert tcp any any -> $HOME_NET 21 (msg:"Telnet Username in the _CLEAR!_";content: "USER";nocase;) alert tcp any any -> $HOME_NET 21 (msg:"Telnet Password in the _CLEAR!_";content: "PASS";nocase;) Andrew Sutton "Shortcuts make for long delays." - J.R.R. Tolken -----Original Message----- From: Tracy R Reed [mailto:treed () ultraviolet org] Sent: Friday, August 17, 2001 4:58 AM To: snort-users () lists sourceforge net Subject: [Snort-users] password sniffingj Are there snort rules which will detect passwords being sent in cleartext? I am interested in catching any passwords being sent in the clear in a number of protocols (http, pop, imap, etc). It is against corporate policy to send passswords in the clear but we have no way of knowing whether a developer has done something silly like set up non-ssl http authentication on some web server somewhere. I suppose I could run linsniff but it would be nice to have something integrated with snort that supported more protocols. -- Tracy Reed http://www.ultraviolet.org "Every artist is a cannibal, every poet is a thief. They all kill their inspiration, and sing about the grief." - U2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- password sniffingj Tracy R Reed (Aug 17)
- Re: password sniffingj Pär Thoren (Aug 17)
- <Possible follow-ups>
- FW: password sniffingj Sutton, Andrew (Aug 17)
- RE: password sniffingj Dell, Jeffrey (Aug 17)
- Re: password sniffingj Michael Boman (Aug 17)
- Re: FW: password sniffingj Neil Dickey (Aug 17)