716.txt

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

Rule:

--
Sid:
716

--
Summary:
This event is generated when a remote user successfully connects to a telnet server. 

--
Impact:
Remote access.  This event may be an indication of a successful telnet connection by an authorized or unauthorized user. 

--
Detailed Information:
A message is generated by a telnet server after a successful connection.  This particular event occurs when a remote user who does not belong to the internal network successfully connects to a telnet server.  This may be a legimate connection by an authorized user or a undesired connection by an unauthorized user.  Since telnet connections are not encrypted, it is possible that user accounts and passwords may be sniffed and used by attackers.  Telnet connections are not considered to be secure especially over the Internet.  Secure shell is the recommended service for remote connectivity since it uses encrypted sessions.

--
Affected Systems:
Telnet servers.

--
Attack Scenarios:
An attacker may attempt to connect to a telnet server after sniffing a username and password.

--
Ease of Attack:
Simple

--
False Positives:
If authorized users are allowed to connect remotely using telnet, disable this rule.

--
False Negatives:
None known.

--
Corrective Action:

Consider using Secure Shell instead of telnet.

Block inbound telnet connections if it is not required.

--
Contributors:
Original rule written by Max Vision <vision@whitehats.org>
Documented by Steven Alexander<alexander.s@mccd.edu>
Sourcefire Research Team
Judy Novak <judy.novak@sourcefire.com>

--
Additional References:

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0619

Arachnids:
http://www.whitehats.com/info/IDS08

--