Home page logo

snort logo Snort mailing list archives

Re: Sanity Check for password change - unsuccessful attempt
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 22 May 2013 17:26:35 -0400

On May 22, 2013, at 4:45 PM, "Khawaja, Kaleem" <Kaleem.Khawaja () bp com> wrote:


My first attempt at writing this rule and will appreciate the keen eyes of the experts here. If you can do a quick 
sanity check for me and let me know if the syntax and the logic will work. 

Basically trying to alert on  unsuccessful attempts for changing passwords in AD. 

alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522"; flow:to_client,established; content:"|05|"; 
offset:14; depth:1; content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30; within:1; content:"changepw"; 
distance:30; within:8; nocase; detection_filter:track by_src, count 4, seconds 120; classtype:attempted-user; 
sid:10000061; rev:1; )

In order to look at something like this, you'd/we'd need a pcap to analyze.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
Snort-sigs mailing list
Snort-sigs () lists sourceforge net

Please visit http://blog.snort.org for the latest news about Snort!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]