[Snort-sigs] documentation for rule 492
dank at ...1581...
dank at ...1581...
Mon Jun 9 06:39:10 EDT 2003
This is my first go at a rule. Ugh, it would appear that the --
dividers used by the template are processed as sig delims. Please CC me
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad
Login"; content: "Login failed"; nocase; flow:from_server,established;
classtype:bad-unknown; sid:492; rev:6;)
A telnet server refused an attempted login.
An attacker may have attempted to gain access to a valid user's account via
the telnet service, but did not succeed. The telnet service is running,
which uses insecure authentication mechanisms.
The telnet server typically runs on TCP port 23. Upon access to the
server, account access is granted based on an unencrypted user name and
password. Upon a failed login (resulting from either an invalid account
or an incorrect password), a login failure message will be returned.
This signature matches the common text "Login failed".
Any system running a telnet server.
Attackers can, particularly when armed with a valid account name,
attempt to use guessing attacks or brute-force means to gain access via
the telnet service. Many successive events of this type would likely be
indicative of such an attack.
The use of a telnet server allows the passive attack of traffic
sniffing, which can extract a username and password from any valid
Ease of Attack:
This event indicates it is possible to perform a brute-force attack; the
ease of such an attack is dependent upon the strength of passwords, and
rate-limiting techniques employed by the telnet server in question.
This event will match any badly-typed or -remembered password, and will
therefore likely false positive fairly often. Look for rapid successive
If a password is correctly guessed, no failure will be noted.
It is best to avoid using telnet whenever possible; its authentication
system is lacking, and encryption is generally unavailable. If your
telnet server can be configured to temporarily disable access after
rapid successive failures, it as advised that you do so.
Original rule author unknown
Documented by Nick Black, Reflex Security <dank at ...1582...>
Telnet RFC: http://www.faqs.org/rfcs/rfc854.html
More information about the Snort-sigs