Snort mailing list archives
Problem accessing telnet data
From: Henrique Santos <hsantos () dsi uminho pt>
Date: Wed, 09 Jan 2013 23:12:19 +0000
I have a simple alert rule to detect telnet packets with the word "Login". However, it seems the packet data is truncated and only the first 2 bytes are available for detection. The packets I want to search for start with "\r\nLogin..."; using content:"|od oa|" it works, using content:"Login" it does not work. The rule is: alert tcp any any -> any 23 (msg:"INFO login"; content:"Login"; sid:999;) I am using a simple configuration file, but I have also tried with the original snort configuration... same result Snort is Version 2.8.5.2 (Build 121) -- Henrique M. D. Santos Universidade do Minho Centro Algoritmi/Dpt. Sistemas de Informação 4800-058 Guimarães Portugal ------------------------------------------------------------------------------ Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery and much more. Keep your Java skills current with LearnJavaNow - 200+ hours of step-by-step video tutorials by Java experts. SALE $49.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122612 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Problem accessing telnet data Henrique Santos (Jan 09)