Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A rule for telnet commands

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 16 Dec 2002 17:03:07 -0500
heh, that's what the stream4 and telnet decode preprocessors are for. With them on snort rules will match, even if the data is spread out across several IP packets. No need for special handling in the rules at all, so a content: "enable"; should work just fine. 



At 11:50 AM 12/16/2002 -0800, posts wrote:
I would like to write a rule for a specific telnet command (like the Cisco "enable" command for example).
But since telnet commands seem to be transmitted a character at a time a simple (...content:"enable";...) option will not work, so it seems that some reassembly is required.
Is it possible write a rule to catch a specific telnet command?... and if so how? 

Thanks!




-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel 
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: