Re: Sanity Check for password change - unsuccessful attempt

[Joel Esler <jesler () sourcefire com>]

On May 22, 2013, at 4:45 PM, "Khawaja, Kaleem" <Kaleem.Khawaja () bp com> wrote:

> All,
>
> My first attempt at writing this rule and will appreciate the keen eyes of the experts here. If you can do a quick 
> sanity check for me and let me know if the syntax and the logic will work. 
>
> Basically trying to alert on  unsuccessful attempts for changing passwords in AD. 
>
> alert tcp any 88 -> any any (msg:"Password Change attempt - 20130522"; flow:to_client,established; content:"|05|"; 
> offset:14; depth:1; content:"|1e|"; distance:4; within:1; content:"|18|"; distance:30; within:1; content:"changepw"; 
> distance:30; within:8; nocase; detection_filter:track by_src, count 4, seconds 120; classtype:attempted-user; 
> sid:10000061; rev:1; )

In order to look at something like this, you'd/we'd need a pcap to analyze.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire


------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!