Table of Contents
Advertisement
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
TELCONVERT
7.0 XML Attribute
NSC/SC/C/TelnetAnalysis
Description
The Telnet protocol, as defined by RFC 854 and
companion RFCs, allows for in-band command
communication. Therefore, it is possible to
embed Telnet commands into the character
stream to obscure an attack.
Functionality can be divided into three
categories. First, the Network Sensor will look for
and remove all of the defined in-line Telnet
commands (and associated attributes). Then, it
will remove all backspace/delete characters and
the associated characters that were deleted.
Lastly, it will collapse spaces to a single space
character.
Actual Keystrokes
Keystrokes
cat /etc/abc\b\b\bpasswd
cat
/etc/passwd
cat \255\241/etc/passwd
Technical Notes
•
Applied to all traffic with the T complex port rule (as
defined inside the dragon.net - typically ports 21
and 23).
•
Because TelnetAnalysis is applied to both Telnet
and FTP, there is a possibility that Telnet events
may be falsely generated on an FTP port and vice-
versa.
Creating Network Sensor Policies and Signatures A-55
6.x to 7.x Mappings
Converted
cat /etc/passwd
cat /etc/passwd
cat /etc/passwd
Advertisement
Table of Contents
Need help?
Do you have a question about the Intrusion Prevention System and is the answer not in the manual?