[Snort-sigs] More false negatives for 716.10 (TELNET access)

nnposter at ...592... nnposter at ...592...
Tue Jul 27 12:02:03 EDT 2004


Rule:  TELNET access

--
Sid: 716

--

False Negatives: Current version of the rule is still not catching all
variants of a telnet handshake. While it seems to work for most
full-featured servers, its requirement for three DO options is too much
for lightweight telnet servers embedded in networking gear. Random
sampling confirmed that the current rule will not fire on telnet access to
the following equipment:

Cisco IOS		will:echo/will:sga/do:term/do:size
Cisco CatOS		will:echo/will:sga/do:echo
Cisco PIX		will:sga,will:echo/will:sga/will:echo
Nortel BayStack		do:sga/will:echo/will:sga
Nortel Contivity	will:echo

The best solution seems to be to leave 716.10 as is and create another
telnet access rule looking for WILL 01 + WILL 03 (see below). I have
opted for this form due to the lack of other common patterns. Slightly
more future-proof version would be to split the two options into
separate content clauses but the rule would not be as efficient.

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any 
(msg:"TELNET general access"; flow:from_server,established; 
content:"|FF FB 01 FF FB 03|"; rawbytes; 
reference:arachnids,08; reference:cve,1999-0619; 
classtype:not-suspicious; sid:XXX; rev:YYY;)

The rule will fire on most (but not all) telnet handshakes captured by
716.10 but also on all the listed devices except Contivity, which has an
extremely small telnet handshake. It would require a dedicated rule with
banner matching:

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any 
(msg:"TELNET Contivity access"; flow:from_server,established; 
content:"|0A 0D 0A 0D|Login|3A 20|"; rawbytes; 
reference:arachnids,08; reference:cve,1999-0619; 
classtype:not-suspicious; sid:XXX; rev:YYY;)

This should be fairly unique due to the reversed CR-LF sequence.

Yet another telnet false negative occurs if the telnet server uses TLS. 
In this case the access can be detected by checking for DO 46:

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any 
(msg:"TELNET TLS access"; flow:from_server,established; 
content:"|FF FD 2E|"; rawbytes; 
reference:arachnids,08; reference:cve,1999-0619; 
classtype:not-suspicious; sid:XXX; rev:YYY;)




More information about the Snort-sigs mailing list