[Snort-sigs] Rule for filtering Telnet protocol

Carlos Jimenez cjimenez at ...3841...
Fri Sep 27 09:06:50 EDT 2013


Hello eveybody,

I'd like to create a rule for Snort to detect Telnet traffic, regardless 
the port it is used for the Telnet session. Is there any way to do it?
I guess that the ftp-telnet preprocessor normalizes the telnet (and ftp) 
traffic so, is it possible to create a rule from the ftp/telnet 
preprocessor? i. e. taking advantage of normalized fields from the 
preprocessor.
I have sniffed a Telnet session and I've realized that there are several 
commands (i. e. Do, Will...) that they seem to belong to the Telnet 
protocol itself. I have created a rule like this:

/alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Telnet"; 
content:"|FF FB|"; rawbytes; sid:1000; rev:1;)/

Using that rule I got to detect the "Will" command but avoiding the 
decoding process and I'm not sure at all that it doesn't generate false 
positives with other protocols.

Please, could you give me advice about this issue?

Thanks in advance.

Carlos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130927/89766bb0/attachment.html>


More information about the Snort-sigs mailing list