Snort mailing list archives
Re: Creating a rule for RDP
From: Samuel M Westerfeld <sam () utexas edu>
Date: Sat, 7 Feb 2015 02:06:48 -0600
No need to reinvent the wheel. This can (and should) be done through Group Policy or Local Security Policy in Windows. On Feb 7, 2015 1:36 AM, "Dave Killion" <dave.killion () gmail com> wrote:
While that's true - RDP is encrypted - a poor man's brute-force detection is to detect n-connections in y seconds between IP peers. Say... 5 connections in 10 seconds? A real user wouldn't go that fast unless they were rapidly trying credentials, and a script would go much faster. You may need to tune the interval, however, to something that makes sense in your network. Yes, this has problems with NAT, and yes, it has problems with slow brute, but... It's better than nothing, and I know with certainty that many commercial IDS' do exactly this. Dave KillionOn Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar () trimble com> wrote:On 23/01/15 12:06, Richard Giles wrote: Hello, I am trying to write a simple snort rule that will block RDP traffic ifthe password is failed more then 3-5 times. I have been experimenting using something like the following:As far as I'm aware RDP is a fully encrypted channel, so any failedlogin messages are sent by the server to the client over that encrypted channel. In other words, it's just like SSHie snort can't read it. The only way I can think of to detect RDP failed logins is to monitorthe eventlogs of Windows servers for failed login events :-(-- Cheers Jason Haar Corporate Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1------------------------------------------------------------------------------Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, isyourhub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Takealook and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Creating a rule for RDP Richard Giles (Jan 22)
- Re: Creating a rule for RDP Richard Giles (Jan 23)
- Re: Creating a rule for RDP Scott Savarese (Jan 23)
- Re: Creating a rule for RDP Jason Haar (Feb 06)
- Re: Creating a rule for RDP Dave Killion (Feb 06)
- Re: Creating a rule for RDP Samuel M Westerfeld (Feb 07)
- Re: Creating a rule for RDP Johnathan Wiltberger (Feb 07)
- Re: Creating a rule for RDP Barry Bahrami (Feb 09)
- Re: Creating a rule for RDP Johnathan Wiltberger (Feb 09)
- Re: Creating a rule for RDP Dave Killion (Feb 06)
- Re: Creating a rule for RDP Richard Giles (Jan 23)
- <Possible follow-ups>
- Re: Creating a rule for RDP Simon Wesseldine (Feb 09)
- Re: Creating a rule for RDP Barry Bahrami (Feb 09)