Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] ACID and Snort rules

from [Briggs, Bruce] Network Security [Permanent Link]
Subject: RE: [Snort-users] ACID and Snort rules
Date: Tue, 20 Sep 2005 11:17:16 -0400 
The Snort docs are always a good place to start especially the manual
and the FAQs.
Lots of details.
 
There is also the   nocase   keyword, which may be helpful to you.
 
In your Snort setup, make sure that this rule is included in your
snort.conf or a file which is in an    include   statement in your
snort.conf.
 
Your rule should work, assuming that packets with this payload are being
seen by Snort and you rule is in the snort.conf.
 
Bruce

  _____  

From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of snort
Sent: Wednesday, September 21, 2005 12:02 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] ACID and Snort rules


I will like to make a rule for users accessing certian sites via their
log.  I am tasked to prove that users are authenticating into specific
sites.  I will like to get as specific as user name and password.  
 
I want to create rules based on payload data however i have not been
successfull
 an example.  I would like to trigger this rule to happen for any ip
address the sensor sees. Im going to change the content around to
something like passwd  etc etc.  I understand its case sensative when
searching the payload data. 
 
alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP
root login";) 

 
Can some one give me more examples of a snort rule  to accomplish this
task.  What would rules look like searching the payload data??    Where
do I put the rule and how do i have it both alert and log to the
database.
 
I been reading some fourms and they are helpful in talking about the
construction of a rule and its parts  and what each one means.  I can
use some help now   thank you
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Dumb BASE question, LW
Next by Date:  Re: [Snort-users] how to configure snort with vlan, Russ Starr
Previous by Thread:  [Snort-users] ACID and Snort rules, snort
Next by Thread:  [Snort-users] No content match in modern snorts, nard
Indexes:  [Date] [Thread] [Top] [All Lists]