[Snort-sigs] Sanity Check for password change - unsuccessful attempt

Khawaja, Kaleem Kaleem.Khawaja at ...2314...
Wed May 22 16:45:17 EDT 2013


My first attempt at writing this rule and will appreciate the keen eyes
of the experts here. If you can do a quick sanity check for me and let
me know if the syntax and the logic will work. 

Basically trying to alert on  unsuccessful attempts for changing
passwords in AD. 

alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522";
flow:to_client,established; content:"|05|"; offset:14; depth:1;
content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30;
within:1; content:"changepw"; distance:30; within:8; nocase;
detection_filter:track by_src, count 4, seconds 120;
classtype:attempted-user; sid:10000061; rev:1; )


Kaleem Khawaja

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130522/26e23d2e/attachment.html>

More information about the Snort-sigs mailing list