Snort mailing list archives
RE: A rule for telnet commands
From: Steve Halligan <giermo () geeksquad com>
Date: Tue, 17 Dec 2002 08:40:20 -0600
heh, that's what the stream4 and telnet decode preprocessors are for. With them on snort rules will match, even if the data is spread out across several IP packets. No need for special handling in the rules at all, so a content: "enable"; should work just fine. At 11:50 AM 12/16/2002 -0800, posts wrote:I would like to write a rule for a specific telnet command(like the Cisco"enable" command for example
OT, but keep in mind that looking for 'enable' is not gonna work. Cisco devices can be put into enable mode by typing 'enable' or 'en' or 'ena' or 'enab' or 'enabl'. The only string that you are sure to see is the 'en' part of it, and that is gaurenteed to false positive if you look for that. Perhaps a rule that looks for you cisco devices sending a 'routername#' back to the client. -steve ------------------------------------------------------- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A rule for telnet commands posts (Dec 16)
- Re: A rule for telnet commands Matt Kettler (Dec 16)
- <Possible follow-ups>
- RE: A rule for telnet commands Steve Halligan (Dec 17)
- A rule for telnet commands Neal Werner (Dec 17)