Snort mailing list archives
Telnet rule doesn't work
From: Paul Li <paul () scybersecurity com>
Date: Sat, 24 Jun 2017 06:53:00 -0400
I'm using Snort 2.9.9 on Ubuntu 16.04. Trying to build a telnet login detection rule as the following: alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; content:"Login incorrect"; nocase;classtype:bad-unknown; sid:429; rev:2; priority:1;) This rule looks good to me but it doesn't fire when failed TELNET occurs. Any thing missing in this rule? NOTE: At the same time, I created a SSH rule as the following that works well: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SSH login attempt"; flow:to_server,established; content:"SSH-"; sid:10000002; rev:3; classtype:attempted-user;) Thanks, Paul
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Telnet rule doesn't work Paul Li (Jun 24)
- Re: Telnet rule doesn't work rmkml (Jun 24)