[Snort-sigs] keywords "tag" and "session"

Cedric Foll cedric.foll at ...1947...
Fri Nov 28 07:59:05 EST 2003


Hi,

i'd like to register session when a user failed to authenticate on my
POP3 server.
I wrote a rules which works well but i fail to register more than the
packet which had match.
This is my rule:

alert tcp $HOME_NET 110 -> $EXTERNAL_NET any (msg:"Mot de passe
incorrect POP"; flow:established,to_client; session: printable;
tag:host,60,seconds,src; content:"-ERR Password incorrect";dsize:<256;
classtype:bad-unknown; sid:30000001; rev:1;)

The problem is my SESSION file has only the line '-ERR Password
incorrect' even if the user makes many tries during the first minute.

So what is wrong with my rule ?
How can i write my rule to register all the session when a incorrect
authentification is done ?


Regards

-- 
Cédric Foll
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message num?riquement sign?e
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20031128/9305bbf2/attachment.sig>


More information about the Snort-sigs mailing list