Snort mailing list archives

RE: password sniffingj

From: "Dell, Jeffrey" <JDell () seisint com>
Date: Fri, 17 Aug 2001 08:51:44 -0400

The only problem is that port 21 isn't telnet, it is ftp. Telnet sits on
port 23. Unless you are checking to see if people have setup a telnet daemon
on port 21, I would make sure you fix that...

Jeff

-----Original Message-----
From: Sutton, Andrew [mailto:andrew.sutton () cocc com]
Sent: Friday, August 17, 2001 8:26 AM
To: 'snort-users () lists sourceforge net'
Subject: FW: [Snort-users] password sniffingj

Here's two that I use for telnet.  I suppose you could open it up for any
any for other ports.  The tricky part is what would flag the user/pass in
the content of the packets.

alert tcp any any -> $HOME_NET 21 (msg:"Telnet Username in the
_CLEAR!_";content: "USER";nocase;) 
alert tcp any any -> $HOME_NET 21 (msg:"Telnet Password in the
_CLEAR!_";content: "PASS";nocase;) 

Andrew Sutton
"Shortcuts make for long delays." - J.R.R. Tolken

-----Original Message-----
From: Tracy R Reed [mailto:treed () ultraviolet org]
Sent: Friday, August 17, 2001 4:58 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] password sniffingj

Are there snort rules which will detect passwords being sent in cleartext?
I am interested in catching any passwords being sent in the clear in a
number of protocols (http, pop, imap, etc). It is against corporate policy
to send passswords in the clear but we have no way of knowing whether a
developer has done something silly like set up non-ssl http authentication
on some web server somewhere. I suppose I could run linsniff but it would
be nice to have something integrated with snort that supported more
protocols.

-- 
Tracy Reed      http://www.ultraviolet.org
"Every artist is a cannibal, every poet is a thief.
 They all kill their inspiration, and sing about the grief." - U2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

This transmission may contain information that is privileged, confidential
and exempt from disclosure under applicable law.
If you are not the intended recipient, you are hereby notified that any
disclosure, copying, distribution, or use of the information contained
herein (including any reliance thereon) is STRICTLY PROHIBITED.
If you received this transmission in error, please immediately contact the
sender and destroy the material in its entirety, whether in electronic or
hard copy format.
Thank you

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

password sniffingj Tracy R Reed (Aug 17)
- Re: password sniffingj Pär Thoren (Aug 17)
- <Possible follow-ups>
- FW: password sniffingj Sutton, Andrew (Aug 17)
- RE: password sniffingj Dell, Jeffrey (Aug 17)
  - Re: password sniffingj Michael Boman (Aug 17)
- Re: FW: password sniffingj Neil Dickey (Aug 17)