[Snort-sigs] (no subject)

Carmit Partoush carmit at ...1282...
Tue Feb 11 11:36:07 EST 2003


Hello all,
 
I am using snort, 
 
I want to verify that in one telnet session, in one minute I will not
received from the user more then 5 times the key "enter".('41')
 
 I want snort to close the session when I received the fifth enter
request.
 
That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET 23
(msg:"TELNET login Type alarm alarm"; content:"|41|";)
 
This rule recognized telnet request and the "enter" key ('41'). I want
snort to reset the session that's  way I am using : 
 
RESP_TCP_URG resp:rst_all;  that's how I am closing the session.
 
I have no idea how to tell the snort to use the rule that I defined only
after I recognize 5 "enter" in one minute in one session.
 
(now it close the session every time I am using telnet and "enter")
 
any suggestion ???????
 
Carmit   
 
 
 
 




More information about the Snort-sigs mailing list