Re: rule for cacti failed login

[Jeremy Hoel <jthoel () gmail com>]

the classtype of the rule is what is used when Snorby assigns severity.  As
for the message body, use pulledpork.pl and it will generate the proper sig
message mappings so that further messages will have a proper description.

On Mon, Sep 15, 2014 at 4:16 AM, Sharif Uddin <Sharif.Uddin () spectrumasa com>
wrote:

>  I want to able to give a description for the when it appears in snorby.
> How do I do that?
>
>
>
> And also classify it as high severity?
>
>
>
>
>
> alert tcp $HOME_NET any -> $HOME_NET any (msg:"Failed Apache Login";
> content:"Invalid User Name/Password"; sid:1000000;
> rev:1;classtype:attempted-admin;)
>
>
>
>
>
>
>
>
>
> *From:* Jeremy Hoel [mailto:jthoel () gmail com]
> *Sent:* 12 September 2014 18:32
> *To:* Sharif Uddin
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] rule for cacti failed login
>
>
>
> You can't do anything in the rule to change that. that is because the src
> of the traffic that you are looking for (the error message) is the
> webserver.. the client receives the traffic to know that the login is bad.
>
>
>
> On Fri, Sep 12, 2014 at 4:39 PM, Sharif Uddin <
> Sharif.Uddin () spectrumasa com> wrote:
>
> Hello
>
>
>
>
>
> I want to create a rule for failed login access on apache. Attached has
> the tcpdump of the failed attempt. My rule is
>
>
>
>
>
> alert tcp $HOME_NET any -> $HOME_NET any (msg:"failed apache login";
> content:"Invalid User Name/Password"; sid:1000000; rev:1;)
>
>
>
>
>
> this rule captures source as the web server. How do I amend this rule so
> source is client
>
>
>
>
>
>
>
>
>
>
>
> Sharif Uddin
> *Development/Support Engineer*
> -------------------
>
> *Spectrum Geo Ltd*
> Dukes Court, Duke Street
> Woking, Surrey
> GU21 5BH
> UNITED KINGDOM
>
> Tel: +44 (0) 1483 730201
> Fax: +44 (0) 1483 762620
>
>
>
> www.spectrum*asa*.com <http://www.spectrumasa.com/>
>
>
>
>
> IMPORTANT - This message and any attached files contain information
> intended for the exclusive use of the party or parties to whom it is
> addressed and may contain information that is proprietary, privileged,
> confidential and/or exempt from disclosure under applicable law. If you are
> not an intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may be subject to
> legal restriction or sanction. Please notify the sender immediately and
> delete the original message without making any copies. Copyright in this
> email and any attachments belong to Spectrum Geo Limited.
> We cannot guarantee the security or confidentiality of email
> communications. We do not accept any liability for losses or damages that
> you may suffer as a result of your receipt of this email.
> Email communication with Spectrum Geo Ltd., may be monitored as permitted
> by UK legislation.
> Spectrum Geo Limited, is a limited company registered in England and
> Wales. Registered number: 1979422. Registered office: 95 Aldwych, London
> WC2B 4JF.
>
>
>
> ------------------------------------------------------------------------------
> Want excitement?
> Manually upgrade your production database.
> When you want reliability, choose Perforce
> Perforce version control. Predictably reliable.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> IMPORTANT - This message and any attached files contain information
> intended for the exclusive use of the party or parties to whom it is
> addressed and may contain information that is proprietary, privileged,
> confidential and/or exempt from disclosure under applicable law. If you are
> not an intended recipient, you are hereby notified that any viewing,
> copying, disclosure or distribution of this information may be subject to
> legal restriction or sanction. Please notify the sender immediately and
> delete the original message without making any copies. Copyright in this
> email and any attachments belong to Spectrum Geo Limited.
> We cannot guarantee the security or confidentiality of email
> communications. We do not accept any liability for losses or damages that
> you may suffer as a result of your receipt of this email.
> Email communication with Spectrum Geo Ltd., may be monitored as permitted
> by UK legislation.
> Spectrum Geo Limited, is a limited company registered in England and
> Wales. Registered number: 1979422. Registered office: 95 Aldwych, London
> WC2B 4JF.

------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!