Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: MS Terminal Server Requests

From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Fri, 20 Dec 2002 14:00:50 -0500
SID 1447 - MISC MS Terminal server request (RDP) 


AFAIK, this sig is for simple Terminal Server connections, and nowhere does
it mention 'malformed' requests. This rule works without even being logging
in, but simply the Remote Client talking to the TS as telnetting doesn't
produce the same alert.

I just tested on a production server by connecting and not logging in or
touching anythign at that point, and I received a single alert as usual.
Proceeding to use TS produces 0 extra alerts.

hth,
John

-----Original Message-----
From: Parker, Ian [mailto:parker.ian () syncrude com]
Sent: Friday, December 20, 2002 1:28 PM
To: 'snort-users () lists sourceforge net'
Subject: [Snort-users] MS Terminal Server Requests


I was wondering who created the experimental Snort rule for detecting
malformed RDP packets in an MS terminal server request, SID 1447, and how
they came up with that particular payload. The reason I'm curious is that
every RDP packet to my terminal servers has this payload, so the rule gets
triggered all the time.

Ian Parker, GCWN

Senior Systems Analyst
Upgrading Plant Computing
Syncrude Canada Ltd

(780)790-4631
parker.ian () syncrude com



-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: