[Snort-sigs] keywords "tag" and "session"
cedric.foll at ...1947...
Fri Nov 28 07:59:05 EST 2003
i'd like to register session when a user failed to authenticate on my
I wrote a rules which works well but i fail to register more than the
packet which had match.
This is my rule:
alert tcp $HOME_NET 110 -> $EXTERNAL_NET any (msg:"Mot de passe
incorrect POP"; flow:established,to_client; session: printable;
tag:host,60,seconds,src; content:"-ERR Password incorrect";dsize:<256;
classtype:bad-unknown; sid:30000001; rev:1;)
The problem is my SESSION file has only the line '-ERR Password
incorrect' even if the user makes many tries during the first minute.
So what is wrong with my rule ?
How can i write my rule to register all the session when a incorrect
authentification is done ?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
More information about the Snort-sigs