Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(no subject)

From: "Carmit Partoush" <carmit () securenet co il>
Date: Tue, 11 Feb 2003 21:37:33 +0200
Hello all,
 
I am using snort, 
 
I want to verify that in one telnet session, in one minute I will not
received from the user more then 5 times the key "enter".('41')
 
 I want snort to close the session when I received the fifth enter
request.
 
That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET 23
(msg:"TELNET login Type alarm alarm"; content:"|41|";)
 
This rule recognized telnet request and the "enter" key ('41'). I want
snort to reset the session that's  way I am using : 
 
RESP_TCP_URG resp:rst_all;  that's how I am closing the session.
 
I have no idea how to tell the snort to use the rule that I defined only
after I recognize 5 "enter" in one minute in one session.
 
(now it close the session every time I am using telnet and "enter")
 
any suggestion ???????
 
Carmit   
 
 
 
 


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: