Snort mailing list archives
Snort rules for detecting password in cleartext
From: Neeraj Shah via Snort-sigs <snort-sigs () lists snort org>
Date: Mon, 19 Mar 2018 19:21:00 -0400
Hello All, I am looking for help if someone has a snort rule to detect clear text password being used while logging in via Telnet or HTTP and perhaps a rule for detecting default passwords. I ran a telnet session by logging in using a default password to a network switch and captured the PCAP file. However i am not sure what should i use to search for using the "content" keyword in my snort rule ? Reason being, i had to do a "Follow TCP Stream" in Wireshark to be able to see the password in clear text in wireshark. alert tcp $HOME_NET any -> $HOME_NET 23 (msg:" TELNET:Default password login attempt"; flow:to_server,established; content:""; fast_pattern:only; classtype:default-login-attempt; sid:10000007; rev:1;)
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Snort rules for detecting password in cleartext Neeraj Shah via Snort-sigs (Mar 19)