Snort mailing list archives
Re: Re: [Snort-users] VNC Failed Login
From: Nigel Houghton <nigel () sourcefire com>
Date: Thu, 2 Sep 2004 19:03:46 -0400
On 0, Frank Knobbe <frank () knobbe us> allegedly wrote:
On Thu, 2004-09-02 at 13:26, sekure wrote:Saw a warning on isc.sans.org about brute force VNC login attempts and couldn't really find any rules to detect it, so I threw together this one: alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login"; flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|"; content:"Authentication|20|failure"; classtype:unsuccessful-user; sid:1000001; rev:1;)VNC does not only operate on port 5900 (that's display :0), but also on other ports up to 5999. Where are those port lists when you need them :)
Port _ranges_ do exist. $HOME_NET 5900:5903 would take care of 4 displays. You might be increasing the likelihood of false positives though. +-------------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team "Dude, dolphins are intelligent and friendly!" - Wendy "Intelligent and friendly on rye bread, with some mayonaise." - Cartman +-------------------------------------------------------------------------+
Attachment:
_bin
Description:
Current thread:
- VNC Failed Login sekure (Sep 02)
- Re: VNC Failed Login Frank Knobbe (Sep 02)
- Re: Re: [Snort-users] VNC Failed Login Nigel Houghton (Sep 02)
- Re: Re: [Snort-users] VNC Failed Login Jose Maria Lopez (Sep 03)
- Re: Re: [Snort-users] VNC Failed Login Nigel Houghton (Sep 02)
- snort-inline on HP-UX prabu (Sep 02)
- Re: VNC Failed Login Frank Knobbe (Sep 02)