Re: Telnet rule doesn't work

[rmkml <rmkml () ligfy org>]

Hello Paul,
It's fire for me,
could you share a pcap please ?
could you check if fire on your side by adding "-k none" please ? (disable checksum check)
could you check replace $TELNET_SERVERS and $EXTERNAL_NET by ANY please ? (only for testing)
Best Regards
@Rmkml

On Sat, 24 Jun 2017, Paul Li wrote:

> I'm using Snort 2.9.9 on Ubuntu 16.04. Trying to build a telnet login detection rule as the following:
>
> alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; content:"Login incorrect"; 
> nocase;classtype:bad-unknown; sid:429; rev:2; priority:1;)                         
>
>
> This rule looks good to me but it doesn't fire when failed TELNET occurs. Any thing missing in this rule?
>
> NOTE: At the same time, I created a SSH rule as the following that works well:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SSH login attempt"; flow:to_server,established; content:"SSH-"; 
> sid:10000002; rev:3; classtype:attempted-user;)
>
>
> Thanks,
> Paul
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" 
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!