[Snort-sigs] RE: Rule to capture POP3 username/password for mail server migration

John Impallomeni John.Impallomeni at ...1877...
Mon Feb 23 21:10:03 EST 2004


Below is my rule for capturing pop3 traffic. It will capture username and password. Good luck.

alert tcp any any -> $EXTERNAL_NET 110 (msg:"John's POP3 Rule";classtype:attempted-recon; sid:1000008; rev:1;)


John Impallomeni
Systems Administrator
Sun Healthcare Group

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of
snort-sigs-request at lists.sourceforge.net
Sent: Monday, February 23, 2004 9:07 PM
To: snort-sigs at lists.sourceforge.net
Subject: Snort-sigs digest, Vol 1 #844 - 5 msgs


Send Snort-sigs mailing list submissions to
	snort-sigs at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-sigs
or, via email, send a message with subject or body 'help' to
	snort-sigs-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-sigs-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-sigs digest..."


Today's Topics:

   1. Rule to capture POP3 username/password for mail server migration (Michael Breton)
   2. Re: Rule to capture POP3 username/password for mail server migration (Brian)
   3. RE: Rule to capture POP3 username/password for mail server migration (Steven Alexander)
   4. RE: Rule to capture POP3 username/password for mail
       server migration (Hugo van der Kooij)

--__--__--

Message: 1
From: Michael Breton <mbreton at ...1645...>
To: "'snort-sigs at lists.sourceforge.net'"
	 <snort-sigs at lists.sourceforge.net>
Date: Mon, 23 Feb 2004 13:18:34 -0500
Subject: [Snort-sigs] Rule to capture POP3 username/password for mail server migration

Hello everyone,

How would you construct a rule to catch POP3 logins including usernames and
passwords?

I have tried this:

alert tcp $EXTERNAL_NET any -> 216.204.112.4 110 (msg:"POP3 Username";
flow:to_server,established; content:"USER"; nocase; content:"-0";
distance:1; classtype:attempted-admin; sid:2254; rev:1;)
alert tcp $EXTERNAL_NET any -> 216.204.112.4 110 (msg:"POP3 Password";
flow:to_server,established; content:"PASS"; nocase; content:"-0";
distance:1; classtype:attempted-admin; sid:2254; rev:1;)

I just need to capture the username/password combination to prepare for a
mail server transition and cannot just copy the shadow file info to the new
system.

Any ideas?

Thanks....

Michael Breton
Commtel


--__--__--

Message: 2
Date: Mon, 23 Feb 2004 16:17:21 -0500
From: Brian <bmc at ...95...>
To: Michael Breton <mbreton at ...1645...>
Cc: "'snort-sigs at lists.sourceforge.net'" <snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] Rule to capture POP3 username/password for mail server migration

On Mon, Feb 23, 2004 at 01:18:34PM -0500, Michael Breton wrote:
> How would you construct a rule to catch POP3 logins including usernames and
> passwords?

Don't use snort.  There are lots of password snarfing programs
designed to do this.  Try dsniff.

Brian


--__--__--

Message: 3
Subject: RE: [Snort-sigs] Rule to capture POP3 username/password for mail server migration
Date: Mon, 23 Feb 2004 13:36:31 -0800
From: "Steven Alexander" <alexander.s at ...1565...>
To: "Brian" <bmc at ...95...>,
	"Michael Breton" <mbreton at ...1645...>
Cc: <snort-sigs at lists.sourceforge.net>

SSd2ZSBmb3VuZCB0aGF0IGl0IHdvcmtzIGJlc3QgdG8gYml0ZSBpbnRvIGEgcGllY2Ugb2YgY2F0
NSBhdHRhY2hlZCB0byB5b3VyIHN3aXRjaCdzIG1pcnJvci9tb25pdG9yaW5nIHBvcnQ7IHdpdGgg
cHJhY3RpY2UgeW91IGNhbiAqZmVlbCogdGhlIHBhc3N3b3Jkcy4gIEl0IGhlbHBzIGlmIGFueSBv
ZiB5b3VyIHRlZXRoIGhhdmUgbWV0YWwgZmlsbGluZ3MuDQogDQotc3RldmVuDQoNCgktLS0tLU9y
aWdpbmFsIE1lc3NhZ2UtLS0tLSANCglGcm9tOiBCcmlhbiBbbWFpbHRvOmJtY0Bzbm9ydC5vcmdd
IA0KCVNlbnQ6IE1vbiAyLzIzLzIwMDQgMToxNyBQTSANCglUbzogTWljaGFlbCBCcmV0b24gDQoJ
Q2M6ICdzbm9ydC1zaWdzQGxpc3RzLnNvdXJjZWZvcmdlLm5ldCcgDQoJU3ViamVjdDogUmU6IFtT
bm9ydC1zaWdzXSBSdWxlIHRvIGNhcHR1cmUgUE9QMyB1c2VybmFtZS9wYXNzd29yZCBmb3IgbWFp
bCBzZXJ2ZXIgbWlncmF0aW9uDQoJDQoJDQoNCglPbiBNb24sIEZlYiAyMywgMjAwNCBhdCAwMTox
ODozNFBNIC0wNTAwLCBNaWNoYWVsIEJyZXRvbiB3cm90ZToNCgk+IEhvdyB3b3VsZCB5b3UgY29u
c3RydWN0IGEgcnVsZSB0byBjYXRjaCBQT1AzIGxvZ2lucyBpbmNsdWRpbmcgdXNlcm5hbWVzIGFu
ZA0KCT4gcGFzc3dvcmRzPw0KCQ0KCURvbid0IHVzZSBzbm9ydC4gIFRoZXJlIGFyZSBsb3RzIG9m
IHBhc3N3b3JkIHNuYXJmaW5nIHByb2dyYW1zDQoJZGVzaWduZWQgdG8gZG8gdGhpcy4gIFRyeSBk
c25pZmYuDQoJDQoJQnJpYW4NCgkNCgkNCgktLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoJU0YuTmV0IGlzIHNwb25zb3JlZCBieTogU3BlZWQg
U3RhcnQgWW91ciBMaW51eCBBcHBzIE5vdy4NCglCdWlsZCBhbmQgZGVwbG95IGFwcHMgJiBXZWIg
c2VydmljZXMgZm9yIExpbnV4IHdpdGgNCglhIGZyZWUgRFZEIHNvZnR3YXJlIGtpdCBmcm9tIElC
TS4gQ2xpY2sgTm93IQ0KCWh0dHA6Ly9hZHMub3Nkbi5jb20vP2FkX2lkPTEzNTYmYWxsb2NfaWQ9
MzQzOCZvcD1jbGljaw0KCV9fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fDQoJU25vcnQtc2lncyBtYWlsaW5nIGxpc3QNCglTbm9ydC1zaWdzQGxpc3RzLnNvdXJj
ZWZvcmdlLm5ldA0KCWh0dHBzOi8vbGlzdHMuc291cmNlZm9yZ2UubmV0L2xpc3RzL2xpc3RpbmZv
L3Nub3J0LXNpZ3MNCgkNCglfX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQoJVGhpcyBlbWFpbCBoYXMgYmVlbiBzY2Fu
bmVkIGJ5IHRoZSBNZXNzYWdlTGFicyBFbWFpbCBTZWN1cml0eSBTeXN0ZW0uDQoJRm9yIG1vcmUg
aW5mb3JtYXRpb24gcGxlYXNlIHZpc2l0IGh0dHA6Ly93d3cubWVzc2FnZWxhYnMuY29tL2VtYWls
DQoJX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fXw0KCQ0KDQo=


--__--__--

Message: 4
Date: Mon, 23 Feb 2004 23:40:54 +0100 (CET)
From: Hugo van der Kooij <hvdkooij at ...481...>
To: snort-sigs mailinglist <snort-sigs at lists.sourceforge.net>
Subject: RE: [Snort-sigs] Rule to capture POP3 username/password for mail
 server migration

On Mon, 23 Feb 2004, Steven Alexander wrote:

> I've found that it works best to bite into a piece of cat5 attached to your switch's mirror/monitoring port; with practice you can *feel* the passwords.  It helps if any of your teeth have metal fillings.

Don't try this on a POTS line. Not everyone is a bad conducter.

Hugo.

-- 
 All email sent to me is bound to the rules described on my homepage.
    hvdkooij at ...481...		http://hvdkooij.xs4all.nl/
	    Don't meddle in the affairs of sysadmins,
	    for they are subtle and quick to anger.



--__--__--

_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


End of Snort-sigs Digest 
  
Information contained in this e-mail and any attachments thereto is intended solely for use of the recipient(s) named  
above and may be privileged, confidential, and/or proprietary. If you are not the intended recipient, please do not  
read, distribute, or reproduce this transmission. You are advised that unauthorized use of this e-mail by any unintended  
recipient may be unlawful and could subject the user to civil damages and other penalties. If you have received this  
e-mail transmission in error, please notify the sender immediately by reply e-mail and then delete this e-mail. Thank you. 
 




More information about the Snort-sigs mailing list