[Snort-users] A rule for telnet commands
mkettler at ...4108...
Mon Dec 16 14:01:01 EST 2002
heh, that's what the stream4 and telnet decode preprocessors are for. With
them on snort rules will match, even if the data is spread out across
several IP packets. No need for special handling in the rules at all, so a
content: "enable"; should work just fine.
At 11:50 AM 12/16/2002 -0800, posts wrote:
>I would like to write a rule for a specific telnet command (like the Cisco
>"enable" command for example).
>But since telnet commands seem to be transmitted a character at a time a
>simple (...content:"enable";...) option will not work, so it seems that
>some reassembly is required.
>Is it possible write a rule to catch a specific telnet command?... and if
More information about the Snort-users