[Snort-users] ACID and Snort rules
snort at ...13526...
Mon Sep 19 20:54:10 EDT 2005
I will like to make a rule for users accessing certian sites via their log. I am tasked to prove that users are authenticating into specific sites. I will like to get as specific as user name and password.
I want to create rules based on payload data however i have not been successfull
an example. I would like to trigger this rule to happen for any ip address the sensor sees. Im going to change the content around to something like passwd etc etc. I understand its case sensative when searching the payload data.
alert tcp any any -> 192.168.1.0/24 21 (content: "user root"; msg: "FTP root login";)
Can some one give me more examples of a snort rule to accomplish this task. What would rules look like searching the payload data?? Where do I put the rule and how do i have it both alert and log to the database.
I been reading some fourms and they are helpful in talking about the construction of a rule and its parts and what each one means. I can use some help now thank you
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users