Snort mailing list archives
RE: password sniffingj
From: "Dell, Jeffrey" <JDell () seisint com>
Date: Fri, 17 Aug 2001 08:51:44 -0400
The only problem is that port 21 isn't telnet, it is ftp. Telnet sits on port 23. Unless you are checking to see if people have setup a telnet daemon on port 21, I would make sure you fix that... Jeff -----Original Message----- From: Sutton, Andrew [mailto:andrew.sutton () cocc com] Sent: Friday, August 17, 2001 8:26 AM To: 'snort-users () lists sourceforge net' Subject: FW: [Snort-users] password sniffingj Here's two that I use for telnet. I suppose you could open it up for any any for other ports. The tricky part is what would flag the user/pass in the content of the packets. alert tcp any any -> $HOME_NET 21 (msg:"Telnet Username in the _CLEAR!_";content: "USER";nocase;) alert tcp any any -> $HOME_NET 21 (msg:"Telnet Password in the _CLEAR!_";content: "PASS";nocase;) Andrew Sutton "Shortcuts make for long delays." - J.R.R. Tolken -----Original Message----- From: Tracy R Reed [mailto:treed () ultraviolet org] Sent: Friday, August 17, 2001 4:58 AM To: snort-users () lists sourceforge net Subject: [Snort-users] password sniffingj Are there snort rules which will detect passwords being sent in cleartext? I am interested in catching any passwords being sent in the clear in a number of protocols (http, pop, imap, etc). It is against corporate policy to send passswords in the clear but we have no way of knowing whether a developer has done something silly like set up non-ssl http authentication on some web server somewhere. I suppose I could run linsniff but it would be nice to have something integrated with snort that supported more protocols. -- Tracy Reed http://www.ultraviolet.org "Every artist is a cannibal, every poet is a thief. They all kill their inspiration, and sing about the grief." - U2 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users This transmission may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- password sniffingj Tracy R Reed (Aug 17)
- Re: password sniffingj Pär Thoren (Aug 17)
- <Possible follow-ups>
- FW: password sniffingj Sutton, Andrew (Aug 17)
- RE: password sniffingj Dell, Jeffrey (Aug 17)
- Re: password sniffingj Michael Boman (Aug 17)
- Re: FW: password sniffingj Neil Dickey (Aug 17)