[Snort-sigs] Re: Rule 498 and 1882

Brian bmc at ...95...
Wed Sep 3 07:04:12 EDT 2003

On Wed, Sep 03, 2003 at 08:12:49AM -0400, Nigel Houghton wrote:
> G :        new: alert ip any !23 -> any !23 (msg:"ATTACK-RESPONSES id check
> G :returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string;
> G :content:" gid="; distance:0; within:15;
> G :byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882;
> G :rev:9;)

That modification isn't going to go in.  Telnet is an unencrypted
protocol and is rather easy to hijack.  If the rule doesn't fit YOUR
enviornment, tune it.  If you use telnet to administrate certian
hosts, then ignore those specific hosts.

For the rest of the world, telnet is finally starting to be shunned.


More information about the Snort-sigs mailing list