[Snort-users] sorta new at doing this with snort

Imran William Smith iwsmith at ...487...
Thu Jul 4 00:24:07 EDT 2002

I wrote the following rule to check that checks for POP3 cleartext
passwords, for organisations where corporate policy dictates that cleartext
email passwords are not used.  But you'd have to write a different signature
for each protocol.

alert tcp $HOME_NET any -> $HOME_NET 110 (msg:"INFO POP3 cleartext password"; flags: A+; content: "PASS "; classtype:misc-activity;
sid:1000010; rev:1;)

Imran William Smith
Security Products Development
Mimos Bhd, Malaysia

----- Original Message -----
From: "Don" <Don at ...5881...>
To: <snort-users at lists.sourceforge.net>
Sent: Thursday, July 04, 2002 2:50 PM
Subject: [Snort-users] sorta new at doing this with snort

| any help would be appreciated, i have a mail server, of course, and am
| currently getting bombarded with the $domain type of spam, and bogus address
| stuff, the spam doesnt relay, but everyone of my users get tons of email
| from tehmselves, and every other username or list name on the network,
| primarily postmaster/webmaster etc... i'd like to get snort to alert when
| anything/anyone connects to my mail server with the $domain as their helo or
| ehlo name, and as a result of the alert, automatically place that ip in a
| block list using iptables or whatever i have the option to use, possibly
| blocking the ip for a period of time, or indefinitly or until i remove
| manually, any of those options would work for me really, any ideas, if you
| need more info on what i am trying to do, contact me off-list and i'll try
| to explain in more detail.
| also
| i'd like to setup a seperate rule on other boxes to look for, say the word,
| "bogus" or "thisismypassword" or any single word on a specific port, any
| suggestions on how to do that. in one case i wish to make sure passwords
| arent sent in cleartext, in another case, i just want to see if particular
| words are passed thru port 20 for instance.
| win32/win2k latest snort and ruleset, as of a week or 2 ago
| Don
| -------------------------------------------------------
| This sf.net email is sponsored by:ThinkGeek
| Caffeinated soap. No kidding.
| http://thinkgeek.com/sf
| _______________________________________________
| Snort-users mailing list
| Snort-users at lists.sourceforge.net
| Go to this URL to change user options or unsubscribe:
| https://lists.sourceforge.net/lists/listinfo/snort-users
| Snort-users list archive:
| http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list