[Snort-users] password detection

counter.spy at ...348... counter.spy at ...348...
Mon Mar 18 06:26:09 EST 2002


> Howdy,

Hi Mike!

> 	I know this request is going to sound really devious, but I assure you my
> intentions are completely white-hat.
> 	I'd like to see how many people are using plain text passwords on my
> network.  A few protocols that come to mind are telnet and pop3. 
> Obviously,
> I want to teach them the wonder that is ssh.  I was thinking something
> like:
> 
> content:"PASS";
> 
> 	Has anyone gone about this before?
> 
>      -Mike Arrison

Not exactly, but it could work. Have you found out that the string "PASS" is
being used in the sessions you want to monitor?
I am not quite sure, but if  "PASS" is really used in Telnet and Pop3, then
I think it will work (I am not a protocol geek, yet ;-) .
Maybe you would like to tighten the stringsearch by using offset and depth
modifiers, because "PASS" could show up in legitimate payload. I suppose you
have specified the appropriate portnumbers in your rules?

BTW: I found out that the subseven rules in backdoors.rules did not trigger
on my tests with subseven gold 2.1 in a testing environment.

I have written rules for this particular version *without* specifying a
port, because
the port can be easily customized.
In this backdoor traffic I also found a password request and reply in plain
text.
The rules are working good for me and they did not produce any false
positives on a
productive network, yet. But this was my first attempt in writing rules, so
please don't laugh too loud ;-)


alert tcp $HOME_NET any -> $EXTERNAL_NET any \
(msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \ 
content: "PWD"; offset: 0; depth: 10; nocase; \
classtype: misc-activity;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any \
msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \
content: "PWD"; offset: 0; depth: 10; nocase; \
classtype: misc-activity;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any \
msg:"Possible BACKDOOR Sub7 21 traffic"; fragbits: D+; flags: AP; \	
content: "|76 65 72 73 69 6f 6e 3a 20 32 2e 31|"; \
offset: 40; depth: 40; nocase; classtype: misc-activity;)

HTH
Greetings,
D. Liesen
 
PS: I am never sure, if such things shouldn't be better discussed on the
sigs list.

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list