[Snort-sigs] Novell Rconj Rules

Andy Beal Andy at ...31...
Mon Mar 12 10:08:24 EST 2001


alert tcp any 2034 -> any any (msg:"Novell RCONJ to
Server";flags:PA;content:"|00343337|";)
alert tcp any 2034 -> any any (msg:"Novell RCONJ Invalid
Password";flags:PA;content:"|00000002000000|";)

These rules monitor both Inbound and Outbound RconJ sessions.  I dunno
if everyone wants to see outbound traffic, I do as a Novell Service
shop, however the first any could be changed to HOME_NET.

Andy Beal
CNE, CCNP
Matrix Integration, LLC


 




More information about the Snort-sigs mailing list