[Snort-users] Problem accessing telnet data

Henrique Santos hsantos at ...16036...
Wed Jan 9 18:12:19 EST 2013


I have a simple alert rule to detect telnet packets with the word 
"Login". However, it seems the packet data is truncated and only the 
first 2 bytes are available for detection. The packets I want to search 
for start with "\r\nLogin..."; using content:"|od oa|" it works, using 
content:"Login" it does not work.
The rule is:
alert tcp any any -> any 23 (msg:"INFO login"; content:"Login"; sid:999;)
I am using a simple configuration file, but I have also tried with the 
original snort configuration... same result
Snort is Version 2.8.5.2 (Build 121)

-- 
Henrique M. D. Santos
Universidade do Minho
Centro Algoritmi/Dpt. Sistemas de Informação
4800-058 Guimarães
Portugal





More information about the Snort-users mailing list