[Snort-users] A rule for telnet commands

Matt Kettler mkettler at ...4108...
Mon Dec 16 14:01:01 EST 2002


heh, that's what the stream4 and telnet decode preprocessors are for. With 
them on snort rules will match, even if the data is spread out across 
several IP packets. No need for special handling in the rules at all, so a 
content: "enable"; should work just fine.



At 11:50 AM 12/16/2002 -0800, posts wrote:

>I would like to write a rule for a specific telnet command (like the Cisco 
>"enable" command for example).
>
>But since telnet commands seem to be transmitted a character at a time a 
>simple (...content:"enable";...) option will not work, so it seems that 
>some reassembly is required.
>
>Is it possible write a rule to catch a specific telnet command?... and if 
>so how?
>
>Thanks!





More information about the Snort-users mailing list