[Snort-sigs] Sanity Check for password change - unsuccessful attempt

Joel Esler jesler at ...435...
Wed May 22 17:26:35 EDT 2013

On May 22, 2013, at 4:45 PM, "Khawaja, Kaleem" <Kaleem.Khawaja at ...2314...> wrote:

> All,
> My first attempt at writing this rule and will appreciate the keen eyes of the experts here. If you can do a quick sanity check for me and let me know if the syntax and the logic will work. 
> Basically trying to alert on  unsuccessful attempts for changing passwords in AD. 
> alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522"; flow:to_client,established; content:"|05|"; offset:14; depth:1; content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30; within:1; content:"changepw"; distance:30; within:8; nocase; detection_filter:track by_src, count 4, seconds 120; classtype:attempted-user; sid:10000061; rev:1; )

In order to look at something like this, you'd/we'd need a pcap to analyze.

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130522/15216854/attachment.html>

More information about the Snort-sigs mailing list