[Snort-sigs] SID 716

Steven Alexander alexander.s at ...1565...
Mon Jun 9 16:38:09 EDT 2003


> -----Original Message-----
> From: daniel.clemens 
> [mailto:daniel_clemens at ...842...] 
> Sent: Monday, June 09, 2003 9:38 AM
> To: Steven Alexander
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] SID 716
> 
> 
> On Mon, 9 Jun 2003, Steven Alexander wrote:
> 
> > Rule:
> > TELNET access
> > --
> > Sid:
> >
> > 716
> >
> > --
> > Summary:
> > This signature indicates that somebody has succeeded in 
> logging in to 
> > a machine via telnet.
> >
> > --
> > Impact:
> >
> > Variable.
> >
> > --
> > Detailed Information:
> >
> > This signature indicates that somebody has logged in to a 
> machine over 
> > a telnet connection.  This may indicate that a system has been 
> > compromised if the client is outside your network.  Telnet is a 
> > terminal emulation program.  The telnet client connects to a telnet 
> > server which usually runs on TCP port 23.
> 
> I don't think this would indicate that the system has been 
> compromised even if the client is outside of your network.

It depends if there should be connections from outside your network.
But, stating that a telnet session from outside your network could
indicate compromise if you don't allow such connections is too obvious
anyway.  I like you description better than mine.

> I would say something like:
> 
> This signature indicates that someone has logged into a 
> machine over a terminal emulation progam known as telnet. 
> Telnet is a terminal emulation program which operates in 
> clear text which can be viewed easily by third parties 
> running sniffers and or activily hijacked over a ethernet 
> segment or LAN/WAN.
> 
> 
> 
> > --
> > Affected Systems:
> >
> > All
> > --
> > Attack Scenarios:
> >
> > An attacker may have compromised the machine.  This program is also 
> > used legitimately.
> 
> The session can be sniffed and or hijacked.

I like this addition as well.





More information about the Snort-sigs mailing list