Trouble with multiple weak passwords in flows

Hi everyone!
I want to catch username and password in a flow.
In this case, flowbits and pcre are needed, such as

alert tcp any any → any 110 (msg:“get pop3 info”;
content:“USER”; nocase;
pcre:“/USER\s+([^\r\n]+)\r\nPASS\s+([^\r\n]+)\r\n/i, flow:username, flow:password”;
flowbits:set, pop3_info;noalert;
sid:200020; gid:10001;)

alert tcp any 110 → any any (msg:“get pop3 status”;
flowbits:isset, pop3_info;
pcre:“/[±](ERR|OK)\s+(?:Authentication|authorization|Logged in.)\s+(?:failed)?[^\r\n]*?\r\n/, flow:status”;
flowbits:unset, pop3_info;
target:src_ip;sid:200028; gid:10001;)

I can catch username and password successfully if there’s only one login behavior in the flow.
However, if multiple login, I can only catch the first username in a flow.

Meanwhile, In order to grab multiple data I try using flowbits: unset xxx, flow:stateless, pcre:/xxxx/, pkt:name, pkt: pass , but it doesn’t work.

Could you guys give me some advice?

Thx in advance

Pics associated

image1281×533 23.3 KB

image1913×485 36.2 KB

The above rules are demo things. There’re the real rules of SMTP below

alert smtp any any → any 25 (msg:“get smtp username”; \
flowbits: set, smtp_login;\
pcre:“/AUTH LOGIN\r\n([\w]+={0,2})\r\n([\w]+={0,2})\r\n/i, flow:username, flow:password”;noalert;\ sid:200010; gid:10001;)

alert smtp any 25 → any any (msg:“get smtp status”;\
flowbits: isset, smtp_login;priority:1;
flowbits: unset, smtp_login;
pcre:“/(235|535).*\r\n/, flow:status”;\
target:src_ip; sid:200019; gid:10001;)

and packets for test

smtp_test.pcapng (13.3 KB)

Thx for your help

Seems like you want to use signatures for logging.
Can you enable smtp logging in suricata and get the data you want from there instead?

Thank you for reply! But I just want to grab data and process the data in another Process which with algorithm that give a judgement to weak passwords