[Snort-sigs] Sanity Check for password change - unsuccessful attempt
rmkml at ...174...
Wed May 22 17:28:56 EDT 2013
thx you for sharing rule,
I have "changepw" but not on 88/tcp to_client side, found on 464/tcp
Anyone fire this rule please?
On Wed, 22 May 2013, Khawaja, Kaleem wrote:
> My first attempt at writing this rule and will appreciate the keen eyes of the experts here. If you can do a quick sanity check for me and let me know if the syntax and the logic will work.
> Basically trying to alert on unsuccessful attempts for changing passwords in AD.
> alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522"; flow:to_client,established; content:"|05|"; offset:14; depth:1; content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30;
> within:1; content:"changepw"; distance:30; within:8; nocase; detection_filter:track by_src, count 4, seconds 120; classtype:attempted-user; sid:10000061; rev:1; )
> Kaleem Khawaja
More information about the Snort-sigs