Snort mailing list archives
Re: FW: password sniffingj
From: Neil Dickey <neil () geol niu edu>
Date: Fri, 17 Aug 2001 10:19:59 -0500 (CDT)
"Sutton, Andrew" <andrew.sutton () cocc com> wrote:
Here's two that I use for telnet. I suppose you could open it up for any any for other ports. The tricky part is what would flag the user/pass in the content of the packets. alert tcp any any -> $HOME_NET 21 (msg:"Telnet Username in the _CLEAR!_";content: "USER";nocase;) alert tcp any any -> $HOME_NET 21 (msg:"Telnet Password in the _CLEAR!_";content: "PASS";nocase;)
For my own instruction, when I first learned that telnet was insecure I set up a snoop session and did some telnetting to see what I could see. What I found is that, while the telnet password is in fact sent in the clear, it is sent one character at a time in successive packets. This makes it a bit difficult to sniff. FTP, on the other hand, puts the whole thing in a single packet, in the clear, and the second rule above will in fact pick it up. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- password sniffingj Tracy R Reed (Aug 17)
- Re: password sniffingj Pär Thoren (Aug 17)
- <Possible follow-ups>
- FW: password sniffingj Sutton, Andrew (Aug 17)
- RE: password sniffingj Dell, Jeffrey (Aug 17)
- Re: password sniffingj Michael Boman (Aug 17)
- Re: FW: password sniffingj Neil Dickey (Aug 17)