[Snort-sigs] [SPAM] FN on community very old sid 1253 rev 21?

Patrick Mullen pmullen at ...435...
Tue Apr 23 11:37:51 EDT 2013

Thanks for the info.  Looking at the rule and the exploit description,
I believe the flow is backward and I'm changing it to to_server.



On Mon, Apr 22, 2013 at 5:10 PM, rmkml <rmkml at ...174...> wrote:
> Hi,
> Can you check flow side on this very old rule cause FN please? (this rule
> are not enabled by default)
>   alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200;
> content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064;
> reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:21;)
> Regards
> Rmkml
> http://twitter.com/rmkml
> ------------------------------------------------------------------------------
> Precog is a next-generation analytics platform capable of advanced
> analytics on semi-structured data. The platform includes APIs for building
> apps and a phenomenal toolset for data science. Developers can use
> our toolset for easy data analysis & visualization. Get a free account!
> http://www2.precog.com/precogplatform/slashdotnewsletter
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Patrick Mullen
Response Research Manager
Sourcefire VRT

More information about the Snort-sigs mailing list