[Snort-users] Stupid rule question

Ryan Russell ryan at ...35...
Mon Mar 26 13:50:24 EST 2001

So, I'm looking at some of the rules on the snort.org site, and there are
several like this under the WEB-MISC category:

alert tcp $EXTERNAL_NET 80 -> $HTTP_SERVERS any (msg:"WEB-MISC telnet
attempt";flags: A+; content:"telnet.exe"; nocase;)

My question has to do with the port numbers.  If I'm reading this right,
the rule is looking for packets from outside, from TCP port 80, to your
web servers, on any port.  By my thinking, this implies your web servers
acting as web clients to outside machines.  And, it's looking for
telnet.exe in the content, implying that your web server has downloaded a
page with that in it.  I'm not even sure what exploit this would be for...
any client-side holes I would expect to use telnet:// instead.

If the any and 80 were reversed, it would make sense to me... it would be
watching for an attempt to call telnet.exe on your web server.

What am I misunderstanding?


More information about the Snort-users mailing list