Re: Re: [Snort-users] VNC Failed Login

[Nigel Houghton <nigel () sourcefire com>]

On  0, Frank Knobbe <frank () knobbe us> allegedly wrote:
> On Thu, 2004-09-02 at 13:26, sekure wrote:
> > Saw a warning on isc.sans.org about brute force VNC login attempts and
> > couldn't really find any rules to detect it, so I threw together this
> > one:
> >
> > alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login";
> > flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|";
> > content:"Authentication|20|failure"; classtype:unsuccessful-user;
> > sid:1000001; rev:1;)
>
> VNC does not only operate on port 5900 (that's display :0), but also on
> other ports up to 5999. Where are those port lists when you need them :)

Port _ranges_ do exist. $HOME_NET 5900:5903 would take care of 4
displays. You might be increasing the likelihood of false positives though. 

+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+

Attachment: _bin
Description: