[Snort-sigs] Poor detection rate by 1:716:6 (TELNET access)

nnposter at ...592... nnposter at ...592...
Wed Apr 28 11:15:11 EDT 2004

Rule:  TELNET access

Sid: 716



Detailed Information:

Affected Systems:

Attack Scenarios:

Ease of Attack:

False Positives:

False Negatives:
Current version of the rule is extremely dependent on which specific
telnet options are sent from the server and their exact order. As a
result, the detection reliability is quite low.
Corrective Action:


Additional References:

Please see the following example of a telnet handshake that goes
undetected by 1:716:6:

04/27-11:37:30.180100 xxx.xxx.xxx.xxx:23 -> xxx.xxx.xxx.xxx:1863
TCP TTL:63 TOS:0x0 ID:51226 IpLen:20 DgmLen:52 DF
***AP*** Seq: 0xFEE0EBC6  Ack: 0xE8660B92  Win: 0x16D0  TcpLen: 20
FF FD 18 FF FD 20 FF FD 23 FF FD 27              ..... ..#..'

I am proposing to break the single content options into multiple
content:"|FF FD xx|", where xx is a typical telnet option code. Good
candidates would be 0x18 and 0x27. In other words, the rule would be
revised as:

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access";
flow:from_server,established; content:"|FF FD 18|"; rawbytes; 
content:"|FF FD 27|"; rawbytes; reference:arachnids,08; 
reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:7;)

More information about the Snort-sigs mailing list