Snort mailing list archives
Re: A rule for telnet commands
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 16 Dec 2002 17:03:07 -0500
heh, that's what the stream4 and telnet decode preprocessors are for. With them on snort rules will match, even if the data is spread out across several IP packets. No need for special handling in the rules at all, so a content: "enable"; should work just fine.
At 11:50 AM 12/16/2002 -0800, posts wrote:
I would like to write a rule for a specific telnet command (like the Cisco "enable" command for example).But since telnet commands seem to be transmitted a character at a time a simple (...content:"enable";...) option will not work, so it seems that some reassembly is required.Is it possible write a rule to catch a specific telnet command?... and if so how?Thanks!
------------------------------------------------------- This sf.net email is sponsored by:With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A rule for telnet commands posts (Dec 16)
- Re: A rule for telnet commands Matt Kettler (Dec 16)
- <Possible follow-ups>
- RE: A rule for telnet commands Steve Halligan (Dec 17)
- A rule for telnet commands Neal Werner (Dec 17)