Snort mailing list archives
Re: Telnet rule doesn't work
From: rmkml <rmkml () ligfy org>
Date: Sun, 25 Jun 2017 00:11:15 +0200 (CEST)
Hello Paul, It's fire for me, could you share a pcap please ? could you check if fire on your side by adding "-k none" please ? (disable checksum check) could you check replace $TELNET_SERVERS and $EXTERNAL_NET by ANY please ? (only for testing) Best Regards @Rmkml On Sat, 24 Jun 2017, Paul Li wrote:
I'm using Snort 2.9.9 on Ubuntu 16.04. Trying to build a telnet login detection rule as the following: alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; content:"Login incorrect"; nocase;classtype:bad-unknown; sid:429; rev:2; priority:1;) This rule looks good to me but it doesn't fire when failed TELNET occurs. Any thing missing in this rule? NOTE: At the same time, I created a SSH rule as the following that works well: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SSH login attempt"; flow:to_server,established; content:"SSH-"; sid:10000002; rev:3; classtype:attempted-user;) Thanks, Paul
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Telnet rule doesn't work Paul Li (Jun 24)
- Re: Telnet rule doesn't work rmkml (Jun 24)