Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (no subject)

From: Erek Adams <erek () snort org>
Date: Thu, 13 Feb 2003 09:11:25 -0500 (EST)
On Tue, 11 Feb 2003, Carmit Partoush wrote:


I am using snort,

I want to verify that in one telnet session, in one minute I will not
received from the user more then 5 times the key "enter".('41')

 I want snort to close the session when I received the fifth enter
request.

That for I defined a rule : #alert tcp $HOME_NET any -> $EXTERNAL_NET 23
(msg:"TELNET login Type alarm alarm"; content:"|41|";)

This rule recognized telnet request and the "enter" key ('41'). I want
snort to reset the session that's  way I am using :

RESP_TCP_URG resp:rst_all;  that's how I am closing the session.

I have no idea how to tell the snort to use the rule that I defined only
after I recognize 5 "enter" in one minute in one session.

(now it close the session every time I am using telnet and "enter")


Short answer:  You can't

Long answer: There's no time based functionality in snort.  The best you
could do would to match |41 41 41 41 41| in your content line.  That's not
going to work exactly as you want to, but it's a start.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: