Hi everyone!
I want to catch username and password in a flow.
In this case, flowbits and pcre are needed, such as
alert tcp any any → any 110 (msg:“get pop3 info”;
content:“USER”; nocase;
pcre:“/USER\s+([^\r\n]+)\r\nPASS\s+([^\r\n]+)\r\n/i, flow:username, flow:password”;
flowbits:set, pop3_info;noalert;
sid:200020; gid:10001;)
alert tcp any 110 → any any (msg:“get pop3 status”;
flowbits:isset, pop3_info;
pcre:“/[±](ERR|OK)\s+(?:Authentication|authorization|Logged in.)\s+(?:failed)?[^\r\n]*?\r\n/, flow:status”;
flowbits:unset, pop3_info;
target:src_ip;sid:200028; gid:10001;)
I can catch username and password successfully if there’s only one login behavior in the flow.
However, if multiple login, I can only catch the first username in a flow.
Meanwhile, In order to grab multiple data I try using flowbits: unset xxx
, flow:stateless
, pcre:/xxxx/, pkt:name, pkt: pass
, but it doesn’t work.
Could you guys give me some advice?
Thx in advance