Re: Creating a rule for RDP

["Barry Bahrami" <Barry () CommercialNetworkServices com>]

No, not after each attempt.  But it works well enough for the brute force scripts.


Sent from my Verizon Wireless 4G LTE smartphone


-------- Original message --------
From: Johnathan Wiltberger <johwiltb () gmail com> 
Date:02/09/2015  1:42 PM  (GMT-08:00) 
To: Barry Bahrami <Barry () commercialnetworkservices com> 
Cc: snort-sigs () lists sourceforge net 
Subject: Re: [Snort-sigs] Creating a rule for RDP 

Does RDP re-establish a session with each login attempt?  Because if not,
this may not be a valid attempt to find failed passwords.  I'd test it but
I don't have a system to test on right now, however it may be important to
think about how the protocol behaves on login attempts.


- John Wiltberger

On Mon, Feb 9, 2015 at 12:33 PM, Barry Bahrami <
Barry () commercialnetworkservices com> wrote:

> We have a firewall rule setup to block six connections to TCP3389 from the
> same IP in a 10 second window.  it works pretty well.
>
>
>
> Barry Bahrami
>
>
>
>
>
> *From:* Samuel M Westerfeld [mailto:sam () utexas edu]
> *Sent:* Saturday, February 07, 2015 12:07 AM
> *To:* snort-sigs () lists sourceforge net
> *Subject:* Re: [Snort-sigs] Creating a rule for RDP
>
>
>
> No need to reinvent the wheel. This can (and should) be done through Group
> Policy or Local Security Policy in Windows.
>
> On Feb 7, 2015 1:36 AM, "Dave Killion" <dave.killion () gmail com> wrote:
>
> While that's true - RDP is encrypted - a poor man's brute-force detection
> is to detect n-connections in y seconds between IP peers.  Say... 5
> connections in 10 seconds?
>
> A real user wouldn't go that fast unless they were rapidly trying
> credentials, and a script would go much faster.   You may need to tune the
> interval, however, to something that makes sense in your network.
>
> Yes, this has problems with NAT, and yes, it has problems with slow brute,
> but... It's better than nothing, and I know with certainty that many
> commercial IDS' do exactly this.
>
> Dave Killion
>
>
> > On Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar () trimble com> wrote:
> >
> > > On 23/01/15 12:06, Richard Giles wrote:
> > > Hello,
> > >
> > > I am trying to write a simple snort rule that will block RDP traffic if
> the password is failed more then 3-5 times. I have been experimenting using
> something like the following:
> > >
> > As far as I'm aware RDP is a fully encrypted channel, so any failed
> login messages are sent by the server to the client over that encrypted
> channel. In other words, it's just like SSH
> > ie snort can't read it.
> >
> > The only way I can think of to detect RDP failed logins is to monitor
> the eventlogs of Windows servers for failed login events :-(
> > --
> > Cheers
> >
> > Jason Haar
> > Corporate Information Security Manager, Trimble Navigation Ltd.
> > Phone: +1 408 481 8171
> > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!