Re: VNC Rule

["Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>]

--On 12 August 2004 05:51 -0700 jonasb () alum rpi edu wrote:

> Hi -
>
> I know that rule 560 in the default Snort ruleset detects VNC traffic -
> but it seems to detect two packets per server connection: one from the
> server responding to the connection and one from the client back to the
> server. I need to detect traffic in only one direction.

[snip]

> I could just change ANY in the second rule to ![192.168.0.0/24], but then
> I wouldn't detect server responses from MIS clients (even more
> important). Does anybody have a VNC rule that will only log the server's
> response (one packet per session initation)?

I look for SYN-ACK packets originating from the server address + port for 
this purpose (i.e. flags: SA,12"). I've used this approach for other rules, 
but not for VNC (yet).

> Thanks
> B

Best Regards,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9




-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users