[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: [Snort-sigs] keywords "tag" and "session"
From: Cedric Foll <cedric.foll () ac-rouen ! fr>
Date: 2003-11-28 15:58:23
[Download RAW message or body]
Hi,
i'd like to register session when a user failed to authenticate on my
POP3 server.
I wrote a rules which works well but i fail to register more than the
packet which had match.
This is my rule:
alert tcp $HOME_NET 110 -> $EXTERNAL_NET any (msg:"Mot de passe
incorrect POP"; flow:established,to_client; session: printable;
tag:host,60,seconds,src; content:"-ERR Password incorrect";dsize:<256;
classtype:bad-unknown; sid:30000001; rev:1;)
The problem is my SESSION file has only the line '-ERR Password
incorrect' even if the user makes many tries during the first minute.
So what is wrong with my rule ?
How can i write my rule to register all the session when a incorrect
authentification is done ?
Regards
--
Cédric Foll
["signature.asc" (application/pgp-signature)]
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive? Does it
help you create better code? SHARE THE LOVE, and help us help
YOU! Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic