[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    [Snort-users] Related to new signatures using passwords
From:       "M. Burnett" <mburnett () xato ! net>
Date:       2000-12-22 21:10:25
[Download RAW message or body]


On a related note, I have experimented with watching packets crossing my
network boundaries that contain certain administrator usernames.  It does
generate a few false alerts but I have discovered some interesting things by
monitoring that.

On the other hand, watching for passwords might be the wrong approach, with
the exception of a few extreme cases.  Perhaps rather than watching for the
login process, it may be more effective to watch what they are doing once
they are logged in.  For example, if someone is getting a remote command
prompt on an NT box through terminal services, NetCat, or another exploit, I
would expect that at some point a command prompt is going to be sent across
the wire.  To check for that, I have added a tag to my command prompt and
watch for that tag leaving the network.  I also have specially marked
directories that I also watch for so that I can see if a directory listing
ever leaves as well.  The exact nature of the rules would depend on what
services are available to a remote attacker.

Of course there are ways to defeat this, but in a couple rules I can
accomplish the same thing as a hundred password rules and I have a much
lower false alert rate.


M. Burnett
www.xato.net



_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/mailman/listinfo/snort-users

[prev in list] [next in list] [prev in thread] [next in thread]