[Snort-users] IDS127 TELNET - Login Incorrect

Keith Pachulski Keith.Pachulski at ...222...
Fri Sep 1 09:55:52 EDT 2000

I seem to be getting alot of false alerts with this rule "IDS127 TELNET -
Login Incorrect" with Snort on Redhat Linux 6.1, made a few changes to the
original rule

#alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS127 TELNET - Login
Incorrect"; content:"Login incorrect";) 
alert tcp $HOME_NET 23 -> !$HOME_NET any (msg:"IDS127 TELNET - NEW: Login
Incorrect"; content:"|4C 6F 67 69 6E 20 69 6E 63 6F 72 72 
65 63 74|"; flags:PA; depth:15;)

So far it does not seem to be generating any false alerts while still
alerting on "actual" failed logins.

Keith Pachulski
Network Security Engineer
PenTeleData Internet Services
Phone: (800) 281-3564 ext. 277
PGP Key: finger strmshdw at ...404...

"A Firewall is really much like a sophisticated traffic cop; it detects and
stops unauthorized or suspicious movement in or out of the network. But
security is more than a Firewall; it's a process. You can't just put in a
Firewall and think you're secure."

More information about the Snort-users mailing list