Snort mailing list archives
Re: Creating a rule for RDP
From: "Simon Wesseldine" <simon.wesseldine () idappcom com>
Date: Mon, 9 Feb 2015 10:57:22 -0000
Jason, although I will not be able to provide you with the exact answer, I do have advice on how I would tackle the problem. I would use Wireshark to analyse the Client Server connections whilst you perform some distinct operations. Then compare the encrypted conversations in Wireshark, to see if you can identify the different processes taking place. If you are able to identify different patterns and make valid statements about those differences, then you should be able to write some Snort rules. e.g. Byte 3, 5 and 7 coming from the Server are values \x08, \x4f and \xf0, for every failed log in attempt, etc. Obviously, if you cannot correctly identify the failed log in attempts from the encrypted traffic, then this method will not be possible. I hope that helps, good luck. Best regards, Simon.
------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Creating a rule for RDP Richard Giles (Jan 22)
- Re: Creating a rule for RDP Richard Giles (Jan 23)
- Re: Creating a rule for RDP Scott Savarese (Jan 23)
- Re: Creating a rule for RDP Jason Haar (Feb 06)
- Re: Creating a rule for RDP Dave Killion (Feb 06)
- Re: Creating a rule for RDP Samuel M Westerfeld (Feb 07)
- Re: Creating a rule for RDP Johnathan Wiltberger (Feb 07)
- Re: Creating a rule for RDP Barry Bahrami (Feb 09)
- Re: Creating a rule for RDP Johnathan Wiltberger (Feb 09)
- Re: Creating a rule for RDP Dave Killion (Feb 06)
- Re: Creating a rule for RDP Richard Giles (Jan 23)
- <Possible follow-ups>
- Re: Creating a rule for RDP Simon Wesseldine (Feb 09)
- Re: Creating a rule for RDP Barry Bahrami (Feb 09)