[Snort-users] Need help with telnet

sepehr hashtroudilar sepehr.ha at ...11827...
Sun Dec 25 03:26:01 EST 2016


Hi,
I have problem with telnet commands that user is typing.
The server to client is ok,  and i successfully get the alert with incoming
packets from server, witch i can drop.
The problem starts with telnet behavior witch sends every character one by
one.
With stream5 i managed to get it work but i get the alert afther cmd
executed.
Witch I want is, to prevent cmd from execution (ips) and drop the packet
before is is executed.

For example: i want every time user try to execute "net user" cmd,  drop
the connection before cmd executed on server.
Is there any configuration for this purpose with stream5 or ftp/telnet
processors.  or any other configuration/rule?
I read entire docs, maybe i cant find!!?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161225/b35a9c6e/attachment.html>


More information about the Snort-users mailing list