[Snort-sigs] Re: Rule 498 and 1882

Brian bmc at ...95...
Wed Sep 3 07:04:12 EDT 2003


On Wed, Sep 03, 2003 at 08:12:49AM -0400, Nigel Houghton wrote:
> G :        new: alert ip any !23 -> any !23 (msg:"ATTACK-RESPONSES id check
> G :returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string;
> G :content:" gid="; distance:0; within:15;
> G :byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;
> G :rev:9;)

That modification isn't going to go in.  Telnet is an unencrypted
protocol and is rather easy to hijack.  If the rule doesn't fit YOUR
enviornment, tune it.  If you use telnet to administrate certian
hosts, then ignore those specific hosts.

For the rest of the world, telnet is finally starting to be shunned.

-brian




More information about the Snort-sigs mailing list