This file is indexed.

/etc/snort/rules/telnet.rules is in snort-rules-default 2.9.7.0-5.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $
#-------------
# TELNET RULES
#-------------
#
# These signatures are based on various telnet exploits and unpassword
# protected accounts.
#


alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;)
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;)
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;)
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;)
alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;)