Snort mailing list archives
Re: Snort rule to monitor for a specific user login
From: Richard Bejtlich <taosecurity () gmail com>
Date: Thu, 13 Aug 2009 16:55:28 -0400
On Thu, Aug 13, 2009 at 11:18 AM, Jesse Lands<cryptograffiti () gmail com> wrote:
I guess it would have helped if I was a little more specific. I want to monitor for a list of Windows logins used across the network. Users who don't have access or shouldn't anymore. I have a list of logins that are in use, but don't have a central log collection and have to many computers to individually check each system. Thanks again Jesse
Hi Jesse, I suggest capturing traffic that represents the activity you care about. Then manually inspect that traffic using Wireshark to see if you can find indicators associated with those users. You may find the Wireshark display filters to be a friendlier way to start identifying the activity of interest. If you can build some confidence using Wireshark, you could then try to build a Snort rule that alerts on the same traffic. Sincerely, Richard ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort rule to monitor for a specific user login Jesse Lands (Aug 13)
- Re: Snort rule to monitor for a specific user login Nigel Houghton (Aug 13)
- Re: Snort rule to monitor for a specific user login Jesse Lands (Aug 13)
- Re: Snort rule to monitor for a specific user login Richard Bejtlich (Aug 13)
- Re: Snort rule to monitor for a specific user login Joel Esler (Aug 13)
- Re: Snort rule to monitor for a specific user login Will Metcalf (Aug 13)
- Re: Snort rule to monitor for a specific user login Jesse Lands (Aug 13)
- Re: Snort rule to monitor for a specific user login Nigel Houghton (Aug 13)