[Snort-sigs] (no subject)

Carmit Partoush carmit at ...1282...
Tue Feb 11 11:36:07 EST 2003

Hello all,
I am using snort, 
I want to verify that in one telnet session, in one minute I will not
received from the user more then 5 times the key "enter".('41')
 I want snort to close the session when I received the fifth enter
That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET 23
(msg:"TELNET login Type alarm alarm"; content:"|41|";)
This rule recognized telnet request and the "enter" key ('41'). I want
snort to reset the session that's  way I am using : 
RESP_TCP_URG resp:rst_all;  that's how I am closing the session.
I have no idea how to tell the snort to use the rule that I defined only
after I recognize 5 "enter" in one minute in one session.
(now it close the session every time I am using telnet and "enter")
any suggestion ???????

More information about the Snort-sigs mailing list