[Snort-sigs] Failed Cisco router authentication attempts/rule

Joshua Wright jwright at ...2228...
Mon Feb 16 18:53:02 EST 2004


I noticed there wasn't a rule for failed Cisco router authentication 
attempts - in case this is useful for someone:

alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"Failed Cisco Device \
Authentication"; content:"% Login invalid"; \
flow:from_server,established; depth:2; classtype:attempted-admin; \
sid:100002; rev:1;)

Here is a trace I used to generate this rule:

102  35.766733  198.7.249.1 -> 10.9.1.10    TELNET Telnet Data ...

0000  08 00 20 c6 5a c8 00 04 28 43 0c 0a 08 00 45 c0   .. .Z...(C....E.
0010  00 3b 00 1e 00 00 fe 06 f1 c2 c6 07 f9 01 0a 09   .;..............
0020  01 0a 00 17 d3 1f b8 a2 6d a3 f4 0b ba 5f 50 18   ........m...._P.
0030  0f d7 1f 74 00 00 0d 0a 25 20 4c 6f 67 69 6e 20   ...t....% Login
0040  69 6e 76 61 6c 69 64 0d 0a                        invalid..


-- 
-Joshua Wright
jwright at ...2228...
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73




More information about the Snort-sigs mailing list