[Snort-sigs] snort telnet login alert

Joel Esler (jesler) jesler at ...3865...
Sun Sep 7 14:51:46 EDT 2014


Capture a packet capture of what you are trying to detect.  That's step one, step two is to attempt detection.   

Sounds like step one is still needed.  

--
Joel Esler
iPhone

> On Sep 7, 2014, at 13:36, "lists at ...3397..." <lists at ...3397...> wrote:
> 
>> On 09/07/2014 11:06 AM, Виталий Щетинин wrote:
>> Ok. We can forgot about my rule. How can I alert telnet login?
> 
> Telnet, with respect to detecting authentication success/failure, is an
> unstructured protocol and login success and failure nomenclature will vary based
> on the daemon.  Without a specific use case we will be unable to help you.
> Essentially you are asking the equivalent of "How can I detect a bad login over
> HTTP" -- do you mean auth-basic?  Web application?  What application?
> 
> Cheers,
> Nathan
> 
> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list