[Snort-users] Snort rule to monitor for a specific user login

Will Metcalf william.metcalf at ...11827...
Thu Aug 13 18:37:58 EDT 2009

This sounds like a job for OSSEC, you don't have to really to deploy
to every system.  You have things that you don't want them access
probably on file servers, deploy the OSSEC agent to these boxes along
with you domain controllers (they have to auth here at some point) and
you should be mostly covered.  The rest is just writing rules looking
for the logons..



On Thu, Aug 13, 2009 at 10:18 AM, Jesse Lands<cryptograffiti at ...11827...> wrote:
>> If you can see the data in network traffic, you can write a rule to find
>> it.
>> --
>> Nigel Houghton
>> Head Mentalist
>> http://vrt-sourcefire.blogspot.com && http://www.snort.org/vrt/
> I guess it would have helped if I was a little more specific.  I want to
> monitor for a list of Windows logins used across the network.  Users who
> don't have access or shouldn't anymore.  I have a list of logins that are in
> use, but don't have a central log collection and have to many computers to
> individually check each system.
> Thanks again
> Jesse
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list