[Snort-sigs] SID 716

daniel.clemens daniel_clemens at ...842...
Mon Jun 9 14:41:09 EDT 2003


On Mon, 9 Jun 2003, Steven Alexander wrote:

> Rule:
> TELNET access
> --
> Sid:
>
> 716
>
> --
> Summary:
> This signature indicates that somebody has succeeded in logging in to a
> machine via telnet.
>
> --
> Impact:
>
> Variable.
>
> --
> Detailed Information:
>
> This signature indicates that somebody has logged in to a machine over a
> telnet connection.  This may indicate that a system has been compromised
> if the client is outside your network.  Telnet is a terminal emulation
> program.  The telnet client connects to a telnet server which usually
> runs on TCP port 23.

I don't think this would indicate that the system has been compromised
even if the client is outside of your network.

I would say something like:

This signature indicates that someone has logged into a machine over a
terminal emulation progam known as telnet. Telnet is a terminal emulation
program which operates in clear text which can be viewed easily by third
parties running sniffers and or activily hijacked over a ethernet segment
or LAN/WAN.



> --
> Affected Systems:
>
> All
> --
> Attack Scenarios:
>
> An attacker may have compromised the machine.  This program is also used
> legitimately.

The session can be sniffed and or hijacked.


> --
> Ease of Attack:
> Very Simple
>
> --
> False Positives:
>
> none known.
>
> --
> False Negatives:
>
> None known.
> --
> Corrective Action:
>
> Do not allow root logins through telnet.  Use a firewall to restrict
> telnet access to certain hosts.  It is preferable to use ssh instead of
> telnet.
>
> --
> Contributors:
> Documentation - Steven Alexander<alexander.s at ...1565...>
> --
> Additional References:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0619
> http://www.whitehats.com/info/IDS0


>
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
> thread debugger on the planet. Designed with thread debugging features
> you've never dreamed of, try TotalView 6 free at www.etnus.com.
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>

-Daniel Uriah Clemens

Esse quam videra
    		(to be, rather than to appear)
http://www.birmingham-infragard.org   | 2053284200
fingerprint: EDF0 6566 2A4A 220E 5760  EA1F 0424 6DF6 F662 F5BD






More information about the Snort-sigs mailing list