Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Telnet session username

From: <kirk () Root-etc org>
Date: Thu, 14 Nov 2002 14:02:12 -0800 (PST)
Hello,
     I want snort to alert me of successful and failed telnet logins as
root to a UNIX server.  The default telnet rule for root logins fails
to alert when a root login occurs. I have tested this in a lab
environment with a UNIX host and UNIX server.  It appears this telnet
server receives and sends each keystroke in a separate packet instead
of all in one packet.  I have the Telnet_decode enabled in snort.conf
and successfully catch incorrect logins, but the server sends the
entire phrase "incorrect login" in one packet.  I have tried writing
custom rules that with the tag option to log the next 10 packets, but
it is a pain to sift through all the alerts to get at the little
information I need.
      I am currently running snort 1.9.0 on a RH 7.3 w/acid and mysql.
Any help would be most appreciated.

Kirk





-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: