Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting telnet connections with TERM=xxx set

From: Sven Huster <sven.huster () hosteurope com>
Date: Mon, 25 Nov 2002 10:59:29 +0000
On Fri, Nov 22, 2002 at 02:40:22PM -0500, Chris Green wrote:

"Sven Huster" <sven.huster () hosteurope com> writes:


Hi there

I wanted to alter on connection which have set TERM to e.g. xxx
So I tried:
alter tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"does not really matter"; content:"|fffa 1800|"; tag: session, 
1000, packets;)

But the f$%^ thing does not work as soon as I put the content option in.
I got no idea why this does not work.


Try adding rawbytes; at the end of the content in your rules.

Option negotiation codes are normalized away by default.   The
rawbytes option allows you to match the raw pattern data.


Thanks for that. Works ok now.

Just one other thing:
Are multiple content options are treated separate?
Like I wanted to add another one, which also might want the rawbytes option.
Do I have to specify it each time?
What up with the offset and depth options?

Thanks
Sven


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: