Snort mailing list archives
Re: Creating a rule for RDP
From: Richard Giles <rgiles () trioptek net>
Date: Fri, 23 Jan 2015 09:45:56 -0600
Anyone maybe have an example of a rule that blocks or drops the traffic. I am interested specifically in blocking RDP traffic after a password is failed more then 3 times. Thanks in advance, *Richard Giles | Trioptek Solutions, Inc. * rgiles () trioptek com | www.trioptek.com Office: (469) 277-2686 ext: 102 Support: http://support.trioptek.net LinkedIn: linkedin.com/in/gilesrichard On Thu, Jan 22, 2015 at 5:06 PM, Richard Giles <rgiles () trioptek net> wrote:
Hello, I am trying to write a simple snort rule that will block RDP traffic if the password is failed more then 3-5 times. I have been experimenting using something like the following: drop tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"Incoming RDP Failure!"; flow:to_server,established; count 2, seconds 60;classtype:misc-activity; sid:10001; rev:2; This will log an event to Snorby, but it won't block me from trying again. Does anyone have any experience with setting up RDP rules? Please let me know. Thanks in advance, *Richard Giles | Trioptek Solutions, Inc. * rgiles () trioptek com | www.trioptek.com Office: (469) 277-2686 ext: 102 Support: http://support.trioptek.net LinkedIn: linkedin.com/in/gilesrichard
------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Creating a rule for RDP Richard Giles (Jan 22)
- Re: Creating a rule for RDP Richard Giles (Jan 23)
- Re: Creating a rule for RDP Scott Savarese (Jan 23)
- Re: Creating a rule for RDP Jason Haar (Feb 06)
- Re: Creating a rule for RDP Dave Killion (Feb 06)
- Re: Creating a rule for RDP Samuel M Westerfeld (Feb 07)
- Re: Creating a rule for RDP Johnathan Wiltberger (Feb 07)
- Re: Creating a rule for RDP Barry Bahrami (Feb 09)
- Re: Creating a rule for RDP Johnathan Wiltberger (Feb 09)
- Re: Creating a rule for RDP Dave Killion (Feb 06)
- Re: Creating a rule for RDP Richard Giles (Jan 23)
- <Possible follow-ups>
- Re: Creating a rule for RDP Simon Wesseldine (Feb 09)
- Re: Creating a rule for RDP Barry Bahrami (Feb 09)