[Snort-sigs] SID 718

Ajello, Aaron Aaron.Ajello at ...2204...
Thu Feb 5 06:34:02 EST 2004


I believe SID 718, with message "TELNET login incorrect" has "source
triggering this attack signature" and "destination receiving this attack
signature in reverse."

I recently tried telneting to a system that doesn't allow telnet, only ssh.
This produced an alert in Snort.  But the alert shows my workstation as the
destination and the system I was trying to telnet to as the source.  From
what I read, this comes about when a system issues an error message after a
failed attempt, which is exactly what happened.  But it seems to me the
alert should show the two systems the other way around.  The workstation I
was trying to telnet from should be listed as the source and the system I
was trying to telnet to should be listed as the destination, even though
that's not what the message that tripped the alert was doing.

Anyway, the alert seems backwards to me.  If I'm misinterpreting things or
if this is just the way it's supposed to be, then I apologize for wasting
your time.  I'm a bit new to Snort, so maybe that's what's happening.

Thanks for making Snort.  I think it's a great product.

Aaron Ajello
Cary, NC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040205/4af6e0da/attachment.html>

More information about the Snort-sigs mailing list