[Snort-sigs] Poor detection rate by 1:716:6 (TELNET access)

Brian bmc at ...95...
Tue Jul 6 08:12:06 EDT 2004


On Tue, Apr 27, 2004 at 12:38:43PM -0600, nnposter at ...592... wrote:
> I am proposing to break the single content options into multiple
> content:"|FF FD xx|", where xx is a typical telnet option code. Good
> candidates would be 0x18 and 0x27. In other words, the rule would be
> revised as:
> 
> alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access";
> flow:from_server,established; content:"|FF FD 18|"; rawbytes; 
> content:"|FF FD 27|"; rawbytes; reference:arachnids,08; 
> reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:7;)

did something similar, but this went out a while ago.  see new rules




More information about the Snort-sigs mailing list