[Snort-sigs] Signature Definition #717, 12 of 20

Esler, Joel Contractor EslerJ at ...785...
Mon Jun 9 06:58:31 EDT 2003

 Rule: -- TELNET not on console 
 Sid: -- 717  
 Summary: -- This string detects a failed attempted root login response from
a telnet server on your network.
 Impact: -- This is normal Telnet activity.  Root logins should only be
allowed to login on the console, however, telnet uses cleartext usernames
and passwords, anyone sniffing traffic in the middle can receive this
traffic and possibly compromise your network.
 Detailed Information: -- Telnet uses cleartext usernames and passwords,
this should be disallowed and SSH should be used instead.  This signature
detects a failed root login through telnet.
 Affected Systems: -- Any that have the telnet server installed
 Attack Scenarios: -- Slim to Dangerous
 Ease of Attack: -- Easy if installed
 False Positives: -- Unknown
 False Negatives: -- Unknown
 Corrective Action: -- Find and disable unauthorized Telnet Servers, secure
authorized Telnet Servers by removing anonymous logins and require
username/password authentication. If possible remove Telnet altogether and
install SSH, then secure it with your perimeter routers by IP.
 Contributors: -- Joel Esler
 Additional References: 

More information about the Snort-sigs mailing list