[Snort-sigs] (no subject)
carmit at ...1282...
Tue Feb 11 11:36:07 EST 2003
I am using snort,
I want to verify that in one telnet session, in one minute I will not
received from the user more then 5 times the key "enter".('41')
I want snort to close the session when I received the fifth enter
That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET 23
(msg:"TELNET login Type alarm alarm"; content:"|41|";)
This rule recognized telnet request and the "enter" key ('41'). I want
snort to reset the session that's way I am using :
RESP_TCP_URG resp:rst_all; that's how I am closing the session.
I have no idea how to tell the snort to use the rule that I defined only
after I recognize 5 "enter" in one minute in one session.
(now it close the session every time I am using telnet and "enter")
any suggestion ???????
More information about the Snort-sigs