[Snort-sigs] Rule for filtering Telnet protocol
cjimenez at ...3841...
Fri Sep 27 09:06:50 EDT 2013
I'd like to create a rule for Snort to detect Telnet traffic, regardless
the port it is used for the Telnet session. Is there any way to do it?
I guess that the ftp-telnet preprocessor normalizes the telnet (and ftp)
traffic so, is it possible to create a rule from the ftp/telnet
preprocessor? i. e. taking advantage of normalized fields from the
I have sniffed a Telnet session and I've realized that there are several
commands (i. e. Do, Will...) that they seem to belong to the Telnet
protocol itself. I have created a rule like this:
/alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Telnet";
content:"|FF FB|"; rawbytes; sid:1000; rev:1;)/
Using that rule I got to detect the "Will" command but avoiding the
decoding process and I'm not sure at all that it doesn't generate false
positives with other protocols.
Please, could you give me advice about this issue?
Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs