Not exactly a signature issue but this seems to be the best place to
post.
I've just installed 2.7 and turned on the ftp/telnet preprocessor -- I
see that the both ftp and telnet are generating these alerts. I assume
that it decides stuff is encrypted if it strikes anything that is not
in its protocol model. In the case of the ftp some of the packets were
seriously broken but theses telent alterts, like the one below, are
from a range of systems and all have the same form suggesting that
there is something lacking in the model.
Russell
| META |
| SID |
CID |
TimeStamp |
Signature |
Sig ID |
| 6 |
8815382 |
2007-08-20 16:18:15 |
telnet_pp: Telnet data encrypted |
2 |
| Sensor Hostname |
Sensor Interface |
| monitor-dmzo.isec.auckland.ac.nz |
dmz sensor |
|
| IP |
| Source Address |
Dest Address |
Ver |
Hdr Len |
TOS |
length |
ID |
flags |
offset |
TTL |
chksum |
| 130.216.x.yy |
216.155.193.135 |
4 |
5 |
0 |
89 |
58040 |
2 |
0 |
126 |
63296 |
| Resolved Source |
Resolved Dest |
| abbb.ccc.auckland.ac.nz |
cs8.msg.dcn.yahoo.com |
|
| TCP |
| Source Port |
Dest Port |
Seq |
Ack |
Offset |
Reserved |
Flags |
Window |
Checksum |
Urgent Ptr |
| 1262 |
23 |
2057010961 |
1040909924 |
5 |
0 |
24 |
64816 |
12746 |
0 |
| Flags |
|
| RB 1 |
RB 0 |
URG |
ACK |
PSH |
RST |
SYN |
FIN |
|
|
|
X |
X |
|
|
|
|
| DATA |
594D5347000F0000001D
00C600000000764AB787
3130C080393939C08031
39C080C0803937C08031
C0803437C08032C080
|
YMSG......
......vJ..
10..999..1
9....97..1
..47..2..
|
|
| DATA |
YMSG............vJ..10..999..19....97..1..47..2..
|
|
-------------------------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems? Stop.
Now Search log events and configuration files using AJAX and a browser.
Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
