RE: A rule for telnet commands

[Steve Halligan <giermo () geeksquad com>]

> heh, that's what the stream4 and telnet decode preprocessors 
> are for. With 
> them on snort rules will match, even if the data is spread out across 
> several IP packets. No need for special handling in the rules 
> at all, so a 
> content: "enable"; should work just fine.
>
>
>
> At 11:50 AM 12/16/2002 -0800, posts wrote:
>
> > I would like to write a rule for a specific telnet command 
> (like the Cisco 
> > "enable" command for example

OT, but keep in mind that looking for 'enable' is not gonna work.
Cisco devices can be put into enable mode by typing 'enable' or 'en'
or 'ena' or 'enab' or 'enabl'.  The only string that you are sure to 
see is the 'en' part of it, and that is gaurenteed to false positive
if you look for that.  Perhaps a rule that looks for you cisco devices
sending a 'routername#' back to the client.

-steve



-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility 
Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users