[Snort-sigs] Failed Cisco router authentication attempts/rule

Brian bmc at ...95...
Mon Feb 16 19:50:08 EST 2004


On Mon, Feb 16, 2004 at 09:48:14PM -0500, Joshua Wright wrote:
> I noticed there wasn't a rule for failed Cisco router authentication 
> attempts - in case this is useful for someone:
> 
> alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"Failed Cisco Device \
> Authentication"; content:"% Login invalid"; \
> flow:from_server,established; depth:2; classtype:attempted-admin; \
> sid:100002; rev:1;)

FYI, this rule isn't valid.  It won't load in modern versions of snort.
"depth:2" says look for the pattern "% Login invalid" in the first 2
bytes of the packet.  "% Login invalid" is much longer than 2 bytes.
Fix that, and you should be good to go.

Other than that, if the idea works for you, awesome.

Brian




More information about the Snort-sigs mailing list