[Snort-sigs] Failed Login Attempts

justice737 at ...2689... justice737 at ...2689...
Thu Dec 30 07:50:01 EST 2004


I am very new to SNORT and I was wondering if the following is possible for a signature. Our environment is very large and the regular SNORT signatures for this type of thing fire way too much. However, we have another IDS device (very old) that does pick up this type of information (however, it is not signature base) - we are trying to write SNORT rules for all these situations. Mainly want to know if this is possible in SNORT? If so anyidea on how?

Failed Login attempt: 1 user name* with three failed login attempts then fire. 

*user id: smithd (here this can not be anonymous or we get way too many false positives, but it could be any type of characters other than the word anonymous)

This could be any characters/numbers/symbols for passwords:
password: Jake (failed) 
password: Love (failed) 
password: !@##@ (failed) 

Any help would be greatly appreciated. Thanks so much in advance.

Join Excite! - http://www.excite.com
The most personalized portal on the Web!

More information about the Snort-sigs mailing list