|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Snort-users] ACID and Snort rules
From: snort (snort
michaelslab.com)
Date: Tue Sep 20 2005 - 23:01:31 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I will like to make a rule for users accessing certian sites via their log. I am tasked to prove that users are authenticating into specific sites. I will like to get as specific as user name and password.
I want to create rules based on payload data however i have not been successfull
an example. I would like to trigger this rule to happen for any ip address the sensor sees. Im going to change the content around to something like passwd etc etc. I understand its case sensative when searching the payload data.
alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP root login";)
Can some one give me more examples of a snort rule to accomplish this task. What would rules look like searching the payload data?? Where do I put the rule and how do i have it both alert and log to the database.
I been reading some fourms and they are helpful in talking about the construction of a rule and its parts and what each one means. I can use some help now thank you
-------------------------------------------------------
SF.Net email is sponsored by:
Tame your development challenges with Apache's Geronimo App Server. Download
it for free - -and be entered to win a 42" plasma tv or your very own
Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]