# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#-----------------------
# PROTOCOL-TELNET RULES
#-----------------------

# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET RuggedCom default backdoor login attempt"; flow:to_server,established; flowbits:isset,telnet.ruggedcom; content:"factory"; metadata:policy security-ips drop, service telnet; reference:cve,2012-1803; reference:url,attack.mitre.org/techniques/T1078; reference:url,www.securityfocus.com/archive/1/522467; classtype:attempted-admin; sid:21938; rev:5;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:718; rev:16;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:attempted-admin; sid:715; rev:14;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:717; rev:15;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:suspicious-login; sid:719; rev:15;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:23;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2406; rev:14;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3274; rev:13;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|TTYPROMPT|01|"; fast_pattern:only; rawbytes; flowbits:set,ttyprompt; metadata:ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3147; rev:14;)
# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 03|"; fast_pattern:only; rawbytes; metadata:service telnet; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-033; classtype:attempted-recon; sid:3687; rev:10;)
# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT VAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 00|"; fast_pattern:only; rawbytes; metadata:service telnet; reference:bugtraq,13940; reference:cve,2005-1205; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-033; classtype:attempted-recon; sid:3688; rev:10;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET kerberos login environment variable authentication bypass attempt"; flow:to_server,established; content:"|FF FA|"; rawbytes; content:"USER|01|-e"; distance:0; rawbytes; metadata:service telnet; reference:cve,2007-0956; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-001-telnetd.txt; classtype:attempted-admin; sid:10464; rev:7;)
# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET Client env_opt_add Buffer Overflow attempt"; flow:to_client,established; content:"|FF FA 27 01|"; rawbytes; isdataat:128,relative,rawbytes; content:!"|FF F0|"; within:128; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12919; reference:cve,2005-0468; classtype:attempted-dos; sid:17269; rev:6;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET FreeBSD telnetd enc_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 07|"; fast_pattern; rawbytes; isdataat:66,relative,rawbytes; content:!"|FF F0|"; within:66; rawbytes; metadata:service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20812; rev:8;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET FreeBSD telnetd dec_keyid overflow attempt"; flow:established,to_server; content:"|FF FA 26 08|"; fast_pattern; rawbytes; isdataat:66,relative,rawbytes; content:!"|FF F0|"; within:66; rawbytes; metadata:service telnet; reference:bugtraq,51182; reference:cve,2011-4862; reference:url,security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc; classtype:attempted-admin; sid:20813; rev:8;)
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET RuggedCom telnet initial banner"; flow:to_client,established; content:"RuggedCom"; fast_pattern:only; flowbits:set,telnet.ruggedcom; flowbits:noalert; metadata:service telnet; classtype:misc-activity; sid:21939; rev:4;)
# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET Client env_opt_add Buffer Overflow attempt"; flow:to_client,established; content:"|FF FA 22 03|"; rawbytes; isdataat:128,relative,rawbytes; content:!"|FF F0|"; within:128; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12919; reference:cve,2005-0468; classtype:attempted-dos; sid:25856; rev:3;)
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; fast_pattern:only; content:"bin/sh"; metadata:ruleset community, service telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt"; flow:to_server,established; content:"|FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6 FF F6|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2015-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-002; classtype:attempted-user; sid:33050; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET Microsoft Telnet Server buffer overflow attempt"; flow:to_server,established; content:"|FF F6|"; fast_pattern:only; content:"|FF F6|"; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; content:"|FF F6|"; within:50; metadata:policy max-detect-ips drop, policy security-ips drop, service telnet; reference:cve,2015-0014; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-002; classtype:attempted-user; sid:33451; rev:2;)
# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client ENV OPT escape overflow attempt"; flow:to_client,established; content:"|FF FA|'|01|"; rawbytes; pcre:"/(\x02([\x01\x02\x03]|\xFF\xFF)){100,}/RBsm"; content:"|FF F0|"; distance:0; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3537; rev:11;)
# alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"PROTOCOL-TELNET client LINEMODE SLC overflow attempt"; flow:to_client,established; content:"|FF FA 22 03|"; rawbytes; isdataat:123,relative,rawbytes; content:!"|FF|"; within:124; rawbytes; metadata:policy max-detect-ips drop, service telnet; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3533; rev:12;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"PROTOCOL-TELNET TippingPoint IPS telnet login failure xss attempt"; flow:to_server,established; content:"<script>alert(123)</script>"; fast_pattern:only; metadata:policy max-detect-ips drop, service telnet; classtype:misc-attack; sid:45191; rev:1;)