Snort mailing list archives

Re: sorta new at doing this with snort

From: "Imran William Smith" <iwsmith () mimos my>
Date: Thu, 4 Jul 2002 15:23:25 +0800

I wrote the following rule to check that checks for POP3 cleartext
passwords, for organisations where corporate policy dictates that cleartext
email passwords are not used.  But you'd have to write a different signature
for each protocol.


alert tcp $HOME_NET any -> $HOME_NET 110 (msg:"INFO POP3 cleartext password"; flags: A+; content: "PASS "; 
classtype:misc-activity;
sid:1000010; rev:1;)


--
Imran William Smith
Security Products Development
Mimos Bhd, Malaysia





----- Original Message -----
From: "Don" <Don () WeberOnTheWeb com>
To: <snort-users () lists sourceforge net>
Sent: Thursday, July 04, 2002 2:50 PM
Subject: [Snort-users] sorta new at doing this with snort


| any help would be appreciated, i have a mail server, of course, and am
| currently getting bombarded with the $domain type of spam, and bogus address
| stuff, the spam doesnt relay, but everyone of my users get tons of email
| from tehmselves, and every other username or list name on the network,
| primarily postmaster/webmaster etc... i'd like to get snort to alert when
| anything/anyone connects to my mail server with the $domain as their helo or
| ehlo name, and as a result of the alert, automatically place that ip in a
| block list using iptables or whatever i have the option to use, possibly
| blocking the ip for a period of time, or indefinitly or until i remove
| manually, any of those options would work for me really, any ideas, if you
| need more info on what i am trying to do, contact me off-list and i'll try
| to explain in more detail.
| also
| i'd like to setup a seperate rule on other boxes to look for, say the word,
| "bogus" or "thisismypassword" or any single word on a specific port, any
| suggestions on how to do that. in one case i wish to make sure passwords
| arent sent in cleartext, in another case, i just want to see if particular
| words are passed thru port 20 for instance.
|
| win32/win2k latest snort and ruleset, as of a week or 2 ago
|
| Don
|
|
|
|
| -------------------------------------------------------
| This sf.net email is sponsored by:ThinkGeek
| Caffeinated soap. No kidding.
| http://thinkgeek.com/sf
| _______________________________________________
| Snort-users mailing list
| Snort-users () lists sourceforge net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users
|



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Caffeinated soap. No kidding.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RFC: Forking Snort Jed Pickel (Jul 02)
- Re: [Snort-devel] RFC: Forking Snort Ryan Russell (Jul 02)
  - Re: [Snort-devel] RFC: Forking Snort james (Jul 02)
- Re: RFC: Forking Snort Erek Adams (Jul 02)
- Re: RFC: Forking Snort Martin Roesch (Jul 02)
- <Possible follow-ups>
- Re: RFC: Forking Snort Andrew R. Baker (Jul 02)
  - sorta new at doing this with snort Don (Jul 04)
    - Re: sorta new at doing this with snort Imran William Smith (Jul 04)
- Re: RFC: Forking Snort Jed Pickel (Jul 04)
  - Re: RFC: Forking Snort Kyle R. Hofmann (Jul 04)
  - Re: [Snort-devel] Re: RFC: Forking Snort Martin Roesch (Jul 04)
    - Re: Re: [Snort-devel] Re: RFC: Forking Snort John Sage (Jul 04)