[Snort-sigs] Poor detection rate by 1:716:6 (TELNET access)

nnposter at ...592... nnposter at ...592...
Wed Apr 28 11:15:11 EDT 2004


Rule:  TELNET access

--
Sid: 716

--
Summary:

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

--
False Negatives:
Current version of the rule is extremely dependent on which specific
telnet options are sent from the server and their exact order. As a
result, the detection reliability is quite low.
--
Corrective Action:

--
Contributors:

-- 
Additional References:



Please see the following example of a telnet handshake that goes
undetected by 1:716:6:

04/27-11:37:30.180100 xxx.xxx.xxx.xxx:23 -> xxx.xxx.xxx.xxx:1863
TCP TTL:63 TOS:0x0 ID:51226 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0xFEE0EBC6  Ack: 0xE8660B92  Win: 0x16D0  TcpLen: 20
FF FD 18 FF FD 20 FF FD 23 FF FD 27              ..... ..#..'


I am proposing to break the single content options into multiple
content:"|FF FD xx|", where xx is a typical telnet option code. Good
candidates would be 0x18 and 0x27. In other words, the rule would be
revised as:

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access";
flow:from_server,established; content:"|FF FD 18|"; rawbytes; 
content:"|FF FD 27|"; rawbytes; reference:arachnids,08; 
reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:7;)




More information about the Snort-sigs mailing list