Snort mailing list archives
Re: Detecting telnet connections with TERM=xxx set
From: Chris Green <cmg () snort org>
Date: Mon, 25 Nov 2002 09:53:20 -0500
Sven Huster <sven.huster () hosteurope com> writes:
On Fri, Nov 22, 2002 at 02:40:22PM -0500, Chris Green wrote:"Sven Huster" <sven.huster () hosteurope com> writes:Hi there I wanted to alter on connection which have set TERM to e.g. xxx So I tried: alter tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"does not really matter"; content:"|fffa 1800|"; tag: session, 1000, packets;) But the f$%^ thing does not work as soon as I put the content option in. I got no idea why this does not work.Try adding rawbytes; at the end of the content in your rules. Option negotiation codes are normalized away by default. The rawbytes option allows you to match the raw pattern data.Thanks for that. Works ok now. Just one other thing: Are multiple content options are treated separate?
Yes.
Like I wanted to add another one, which also might want the rawbytes option. Do I have to specify it each time?
Yes.
What up with the offset and depth options?
They will work on the rawbytes rather than the decoded buffer. -- Chris Green <cmg () sourcefire com> You now have 14 minutes to reach minimum safe distance. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting telnet connections with TERM=xxx set Sven Huster (Nov 22)
- Re: Detecting telnet connections with TERM=xxx set Chris Green (Nov 22)
- Re: Detecting telnet connections with TERM=xxx set Sven Huster (Nov 25)
- Re: Detecting telnet connections with TERM=xxx set Brian (Nov 25)
- Re: Detecting telnet connections with TERM=xxx set Alberto Gonzalez (Nov 25)
- Re: Detecting telnet connections with TERM=xxx set Chris Green (Nov 25)
- Re: Detecting telnet connections with TERM=xxx set Sven Huster (Nov 25)
- Re: Detecting telnet connections with TERM=xxx set Andreas Östling (Nov 22)
- Re: Detecting telnet connections with TERM=xxx set Chris Green (Nov 22)