Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Problems with spp_stream4.

From: Emilio Mira <emial () alumni uv es>
Date: Mon, 15 Jul 2002 06:40:06 +0200 (CEST)

I don't know what I'm doing badly.

With "HOME_NET any" and "EXTERNAL_NET any", I'm trying Snort advertises
'hello' string in a telnet session with rule (in telnet.rules):

alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"TELNET hello"; flags:A+;  
content:"hello"; sid:3712; )


From my network, I connect with an outside server and type 'hello', but

Snort doesn't see it. But if I do 'cut-and-paste' over the virtual
terminal with 'hello' then do it. It seems like stream4 doesn't do its
job.

In snort.conf (snort 1.8.7) I have:

preprocessor stream4: detect_scans
preprocessor stream4_reassemble: both, ports "all"

Anyone could say me what I'm doing badly?

Thank you.

--
Emilio Mira



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: