[Emerging-Sigs] clear text passwords

Matt Jonkman jonkman at jonkmans.com
Fri Jan 9 14:37:35 EST 2009


Frank Knobbe wrote:
>> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"login  
>> credentials being passed in POST data"; flow:to_server,established;  
>> content:"&username="; nocase;  content:"&password="; nocase;  
>> classtype:policy-violation; sid:1048480; rev:1;)
> 
> Why not also create a sister rule that checks for POST requests with
> username= and password= int he URL rather than the POST data blob? 

Good idea, will put one up now.

> 
> I'd also remove the & from the matches and just use username and
> password... just in case one of them is the first element.
> 

Also a good idea. Doing so.

Thanks Frank

Matt


> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list