Rule for filtering Telnet protocol

[Carlos Jimenez <cjimenez () eneotecnologia com>]

Hello eveybody,

I'd like to create a rule for Snort to detect Telnet traffic, regardless 
the port it is used for the Telnet session. Is there any way to do it?
I guess that the ftp-telnet preprocessor normalizes the telnet (and ftp) 
traffic so, is it possible to create a rule from the ftp/telnet 
preprocessor? i. e. taking advantage of normalized fields from the 
preprocessor.
I have sniffed a Telnet session and I've realized that there are several 
commands (i. e. Do, Will...) that they seem to belong to the Telnet 
protocol itself. I have created a rule like this:

/alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Telnet"; 
content:"|FF FB|"; rawbytes; sid:1000; rev:1;)/

Using that rule I got to detect the "Will" command but avoiding the 
decoding process and I'm not sure at all that it doesn't generate false 
positives with other protocols.

Please, could you give me advice about this issue?

Thanks in advance.

Carlos.

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!