Snort rules for detecting password in cleartext

[Neeraj Shah via Snort-sigs <snort-sigs () lists snort org>]

 Hello All,
I am looking for help if someone has a snort rule to detect clear text
password being used while logging in via Telnet or HTTP and perhaps a rule
for detecting default passwords.
I ran a telnet session by logging in using a default password to a network
switch and captured the PCAP file. However i am not sure what should i use
to search for using the "content" keyword in my snort rule ? Reason being,
i had to do a "Follow TCP Stream" in Wireshark to be able to see the
password in clear text in wireshark.

alert tcp $HOME_NET any -> $HOME_NET 23 (msg:" TELNET:Default password
login attempt"; flow:to_server,established; content:""; fast_pattern:only;
classtype:default-login-attempt; sid:10000007; rev:1;)

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!