Snort mailing list archives

Re: Detecting telnet connections with TERM=xxx set

From: Andreas Östling <andreaso () it su se>
Date: Fri, 22 Nov 2002 21:26:07 +0100 (CET)


On Fri, 22 Nov 2002, Sven Huster wrote:

Hi there

I wanted to alter on connection which have set TERM to e.g. xxx
So I tried:
alter tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"does not really matter"; content:"|fffa 1800|"; tag: session, 1000, 
packets;)

But the f$%^ thing does not work as soon as I put the content option in.
I got no idea why this does not work.

Can someone at least point me to some info about debugging rules.


Are you using the telnet_decode preprocessor?
In that case, try adding 'rawbytes;' to your sig.
See http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.38

/Andreas



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Detecting telnet connections with TERM=xxx set Sven Huster (Nov 22)
- Re: Detecting telnet connections with TERM=xxx set Chris Green (Nov 22)
  - Re: Detecting telnet connections with TERM=xxx set Sven Huster (Nov 25)
    - Re: Detecting telnet connections with TERM=xxx set Brian (Nov 25)
    - Re: Detecting telnet connections with TERM=xxx set Alberto Gonzalez (Nov 25)
    - Re: Detecting telnet connections with TERM=xxx set Chris Green (Nov 25)
- Re: Detecting telnet connections with TERM=xxx set Andreas Östling (Nov 22)