[Snort-sigs] Snort rules for detecting password in cleartext

Neeraj Shah neerajshah81 at gmail.com
Mon Mar 19 19:21:00 EDT 2018

 Hello All,
I am looking for help if someone has a snort rule to detect clear text
password being used while logging in via Telnet or HTTP and perhaps a rule
for detecting default passwords.
I ran a telnet session by logging in using a default password to a network
switch and captured the PCAP file. However i am not sure what should i use
to search for using the "content" keyword in my snort rule ? Reason being,
i had to do a "Follow TCP Stream" in Wireshark to be able to see the
password in clear text in wireshark.

alert tcp $HOME_NET any -> $HOME_NET 23 (msg:" TELNET:Default password
login attempt"; flow:to_server,established; content:""; fast_pattern:only;
classtype:default-login-attempt; sid:10000007; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180319/a328a0a8/attachment.html>

More information about the Snort-sigs mailing list