Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Terminal services signature

From: Andreas Östling <andreaso () it su se>
Date: Wed, 24 Jul 2002 22:19:19 +0200 (CEST)

On Wed, 24 Jul 2002, Tony Wong wrote:


How do I create a rule to alert terminal service access

Alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"Terminal Services
access"; ......


... Then I don't know what to put in between ()


Thanks


Two rules are in snortrules-current (sid 1447 and 1448).

Personally, I also find these useful:

alert tcp any any -> any 3389 (msg: "RDP connection request"; \
content: "|03|"; offset: 0; depth: 1; \
content: "|E0|"; offset: 5; depth: 1; flags: A+;)

alert tcp any 3389 -> any any (msg: "RDP connection confirm"; \
content: "|03|"; offset: 0; depth: 1; \
content: "|D0|"; offset: 5; depth: 1; flags: A+;)

alert tcp any any -> any 3389 (msg: "RDP disconnect request";
content: "|03|"; offset: 0; depth: 1; \
content: "|80|"; offset: 5; depth: 1; flags: A+;)

alert tcp any any <> any 3389 (msg: "RDP error packet";
content: "|03|"; offset: 0; depth: 1; \
content: "|70|"; offset: 5; depth: 1; flags: A+;)


Search the snort-sigs archive for more info.

/Andreas




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: