[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] keywords "tag" and "session"
From:       Cedric Foll <cedric.foll () ac-rouen ! fr>
Date:       2003-11-28 15:58:23
[Download RAW message or body]

Hi,

i'd like to register session when a user failed to authenticate on my
POP3 server.
I wrote a rules which works well but i fail to register more than the
packet which had match.
This is my rule:

alert tcp $HOME_NET 110 -> $EXTERNAL_NET any (msg:"Mot de passe
incorrect POP"; flow:established,to_client; session: printable;
tag:host,60,seconds,src; content:"-ERR Password incorrect";dsize:<256;
classtype:bad-unknown; sid:30000001; rev:1;)

The problem is my SESSION file has only the line '-ERR Password
incorrect' even if the user makes many tries during the first minute.

So what is wrong with my rule ?
How can i write my rule to register all the session when a incorrect
authentification is done ?


Regards

-- 
Cédric Foll

["signature.asc" (application/pgp-signature)]
-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[prev in list] [next in list] [prev in thread] [next in thread]