[Snort-users] Snort rule to monitor for a specific user login

Joel Esler jesler at ...1935...
Thu Aug 13 18:20:51 EDT 2009

This is a problematic thing to discover and detect.  Not impossible, as
Nigel said, if you can see the data, you can write a rule to find it.  But
it can be difficult sometimes, at Sourcefire, we developed another product
to handle this for us.  We call it RUA.  (Real-Time User Awareness).


On Thu, Aug 13, 2009 at 11:18 AM, Jesse Lands <cryptograffiti at ...11827...>wrote:

> If you can see the data in network traffic, you can write a rule to find
>> it.
>> --
>> Nigel Houghton
>> Head Mentalist
>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
> I guess it would have helped if I was a little more specific.  I want to
> monitor for a list of Windows logins used across the network.  Users who
> don't have access or shouldn't anymore.  I have a list of logins that are in
> use, but don't have a central log collection and have to many computers to
> individually check each system.
> Thanks again
> Jesse
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- Joel Esler | Sourcefire | Google Voice: 302-223-5974
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20090813/75d91297/attachment.html>

More information about the Snort-users mailing list