[Snort-users] Detecting telnet connections with TERM=xxx set
sven.huster at ...2189...
Fri Nov 22 07:55:02 EST 2002
I wanted to alter on connection which have set TERM to e.g. xxx
So I tried:
alter tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"does not really matter"; content:"|fffa 1800|"; tag: session, 1000, packets;)
But the f$%^ thing does not work as soon as I put the content option in.
I got no idea why this does not work.
Can someone at least point me to some info about debugging rules.
More information about the Snort-users