Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Problems with spp_stream4.

From: Chris Green <cmg () sourcefire com>
Date: Mon, 15 Jul 2002 08:48:52 -0400
Emilio Mira <emial () alumni uv es> writes:


I don't know what I'm doing badly.

With "HOME_NET any" and "EXTERNAL_NET any", I'm trying Snort advertises
'hello' string in a telnet session with rule (in telnet.rules):

alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"TELNET hello"; flags:A+;  
content:"hello"; sid:3712; )


From my network, I connect with an outside server and type 'hello', but

Snort doesn't see it. But if I do 'cut-and-paste' over the virtual
terminal with 'hello' then do it. It seems like stream4 doesn't do its
job.


Are you keeping the session open and then stopping snort? Or are you
closing telnet down and then stopping snort
-- 
Chris Green <cmg () sourcefire com>
You now have 14 minutes to reach minimum safe distance.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: