[Snort-sigs] Sanity Check for password change - unsuccessful attempt

rmkml rmkml at ...174...
Wed May 22 17:28:56 EDT 2013


Hi Khawaja,

thx you for sharing rule,

I have "changepw" but not on 88/tcp to_client side, found on 464/tcp 
to_server side...

Anyone fire this rule please?

Regards
@Rmkml


On Wed, 22 May 2013, Khawaja, Kaleem wrote:

> 
> All,
> 
> My first attempt at writing this rule and will appreciate the keen eyes of the experts here. If you can do a quick sanity check for me and let me know if the syntax and the logic will work. 
> 
> Basically trying to alert on  unsuccessful attempts for changing passwords in AD. 
> 
> alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522"; flow:to_client,established; content:"|05|"; offset:14; depth:1; content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30;
> within:1; content:"changepw"; distance:30; within:8; nocase; detection_filter:track by_src, count 4, seconds 120; classtype:attempted-user; sid:10000061; rev:1; )
> 
> regards,
> 
> Kaleem Khawaja
> 
> 
>


More information about the Snort-sigs mailing list