[Snort-devel] spp_telnet_negotiation module information request.

Martin Roesch roesch at ...402...
Sun May 6 22:35:41 EDT 2001


The telnet negotiation plugin normalizes telnet and ftp data streams
that have telnet nogiation codes embedded in them.  Basically, pattern
matching can be disrupted in telnet and ftp data streams by embedding
telnet negotiation codes in the data stream (c.f. Robert Graham's
sidestep utility for more info).  The telnet_decode preprocessor looks
for telnet negotiation codes and removes them from data streams so that
the pattern matcher can function normally.  I think I found and fixed
the infinite loop that the code was prone to entering and fixed it a
week or so ago, check out the CVS code (or download
http://snort.sourceforge.net/snort-daily.tar.gz) and give it a try.

   -Marty


Bill Gercken wrote:
> 
> Hello,
> 
> Can someone please point me to a description of telnet/ftp negotiation
> strings, there content and what is normal? (Is it somewhere in Richard
> Stevens's books?) I have captured some ftp control session data, which is
> making the spp_telnet_negotiation module hang and need to understand what is
> normal for this data in order to trouble shoot it.
> 
> Thanks.
> -bill
> 
> --
> William C. Gercken                          Email:
> bgercken at ...351...
> Provident Analysis Corporation
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org




More information about the Snort-devel mailing list