[Snort-users] ACID and Snort rules

snort snort at ...13526...
Mon Sep 19 20:54:10 EDT 2005


I will like to make a rule for users accessing certian sites via their log.  I am tasked to prove that users are authenticating into specific sites.  I will like to get as specific as user name and password.  
 
I want to create rules based on payload data however i have not been successfull
 an example.  I would like to trigger this rule to happen for any ip address the sensor sees. Im going to change the content around to something like passwd  etc etc.  I understand its case sensative when searching the payload data. 
 
alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP root login";) 

 
Can some one give me more examples of a snort rule  to accomplish this task.  What would rules look like searching the payload data??    Where do I put the rule and how do i have it both alert and log to the database.
 
I been reading some fourms and they are helpful in talking about the construction of a rule and its parts  and what each one means.  I can use some help now   thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050919/28a9440a/attachment.html>


More information about the Snort-users mailing list