Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Snort Alert Content Telnet

From: "kaihansen" <kaihansen () email it>
Date: Thu, 17 Apr 2003 18:52:10 +0200
Hi all.

I'm trying to catch content on telnet packets, but I've some problem

I've tried this rule

alert tcp any any -> any 23 (msg "TEST"; content "test"; rawbytes;
nocase; )

then I try to telnet to my router and issue test command, but there
are any alarm ...
If I "invert" rule

alert tcp any 23 -> any any (msg "TEST"; content "test"; rawbytes;
nocase; )

when router reply with "Translating error for test"

then snort send an alarm ...

I've tried with tcpdump on the same interface where snort works, and
packets come in correctly ...

I don't know why ... any idea? I'm using snort 1.9.1

Thanks, Kai 

PS: sorry for duplicates ....










--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f

Sponsor:
Consigli su piante, fiori e bonsai? Affidati a Mr. Green, clicca qui!
Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=749&d=17-4


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: