[Snort-sigs] Rule to capture POP3 username/password for mail server migration

Michael Breton mbreton at ...1645...
Mon Feb 23 10:27:09 EST 2004


Hello everyone,

How would you construct a rule to catch POP3 logins including usernames and
passwords?

I have tried this:

alert tcp $EXTERNAL_NET any -> 216.204.112.4 110 (msg:"POP3 Username";
flow:to_server,established; content:"USER"; nocase; content:"-0";
distance:1; classtype:attempted-admin; sid:2254; rev:1;)
alert tcp $EXTERNAL_NET any -> 216.204.112.4 110 (msg:"POP3 Password";
flow:to_server,established; content:"PASS"; nocase; content:"-0";
distance:1; classtype:attempted-admin; sid:2254; rev:1;)

I just need to capture the username/password combination to prepare for a
mail server transition and cannot just copy the shadow file info to the new
system.

Any ideas?

Thanks....

Michael Breton
Commtel




More information about the Snort-sigs mailing list