[Snort-users] A rule for telnet commands

Steve Halligan giermo at ...187...
Tue Dec 17 06:41:09 EST 2002


>
>heh, that's what the stream4 and telnet decode preprocessors 
>are for. With 
>them on snort rules will match, even if the data is spread out across 
>several IP packets. No need for special handling in the rules 
>at all, so a 
>content: "enable"; should work just fine.
>
>
>
>At 11:50 AM 12/16/2002 -0800, posts wrote:
>
>>I would like to write a rule for a specific telnet command 
>(like the Cisco 
>>"enable" command for example

OT, but keep in mind that looking for 'enable' is not gonna work.
Cisco devices can be put into enable mode by typing 'enable' or 'en'
or 'ena' or 'enab' or 'enabl'.  The only string that you are sure to 
see is the 'en' part of it, and that is gaurenteed to false positive
if you look for that.  Perhaps a rule that looks for you cisco devices
sending a 'routername#' back to the client.

-steve





More information about the Snort-users mailing list