[Snort-users] Snort rule to monitor for a specific user login

Richard Bejtlich taosecurity at ...11827...
Thu Aug 13 16:55:28 EDT 2009


On Thu, Aug 13, 2009 at 11:18 AM, Jesse Lands<cryptograffiti at ...11827...> wrote:
>
> I guess it would have helped if I was a little more specific.  I want to
> monitor for a list of Windows logins used across the network.  Users who
> don't have access or shouldn't anymore.  I have a list of logins that are in
> use, but don't have a central log collection and have to many computers to
> individually check each system.
>
> Thanks again
> Jesse
>

Hi Jesse,

I suggest capturing traffic that represents the activity you care
about.  Then manually inspect that traffic using Wireshark to see if
you can find indicators associated with those users.  You may find the
Wireshark display filters to be a friendlier way to start identifying
the activity of interest.  If you can build some confidence using
Wireshark, you could then try to build a Snort rule that alerts on the
same traffic.

Sincerely,

Richard




More information about the Snort-users mailing list