Detection rule for clear text password

[Neeraj Shah]

Hello All,
I am looking for help if someone has a snort rule to detect clear text password being used while logging in via Telnet or HTTP and perhaps a rule for detecting default passwords.

I ran a telnet session using default password to a network switch, captured the PCAP file. However i am not sure what should i use to search for using the "content" keyword in my snort rule ? Reason being, i had to do a "Follow TCP Stream" in Wireshark to be able to see the password in clear text in wireshark.

alert tcp $HOME_NET any -> $HOME_NET 23 (msg:" TELNET:Default password login attempt"; flow:to_server,established; content:""; fast_pattern:only; classtype:default-login-attempt; sid:10000007; rev:1;)

Thanks in advance

[don m.]

The "content" will be the telnet prompt back to you. You will see this in the "follow tcp stream" view. If you had a banner, you could look for that as well. Here are some of the older rules from the ET rule set (in telnet.rules). Best bet is to get the Emerging rules (even though Telnet Emerged in 1977, I think...)

https://rules.emergingthreats.net/open/suricata-4.0/

#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Attempt To Cisco Device With No Telnet Password Set (Automatically Dissalowed Until Password Set)"; flow:from_server; content:"Password required, but
none set"; depth:31; reference:url,doc.emergingthreats.net/bin/view/Main/2008860; classtype:attempted-admin; sid
:2008860; rev:4; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login Prompt from Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)*/"; content:"User Access Verification"; within:24; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:attempted-admin; sid:2008861; rev:6; metadata:created_at 2010_
07_30, updated_at 2010_07_30;)

#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:" Login incorrect"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2101251; rev:9; metadata:created_at 2010_
09_23, updated_at 2010_09_23;)

#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established;
content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14; metadata:created_at 2010_09_23, updated_at 2010_09_23;)

[Neeraj Shah]

Thank you Don.

[Neeraj Shah]

Hi Don,
Need your advice again. Please see attachment, it is the output of "TCP Follow Stream" session in Wireshark when i did a telnet to my switch.
Putting the "Content" to Banner won't help as that appears before the password is typed and will always be displayed irrespective of whether we put in whatever password.
I need to detect the default password "switch" in my snort alert rule. The issue is that this string "switch" is spread across multiple packets in the pcap file & that is why i had to do a "TCP Follow Stream". For instance, the string "switch" is broken down into 7 different packets with each packet containing one alphabet at a time i.e. Packet # 1 has "s", Packet # 2 has "w" and so on...
How do i merge the contents of multiple packets into one to look for the string? I am under the impression that "content" keyword in the rule can only be used for searching against one packet at a time. Hope i am clear