Snort mailing list archives
Re: Terminal services signature
From: Andreas Östling <andreaso () it su se>
Date: Wed, 24 Jul 2002 22:19:19 +0200 (CEST)
On Wed, 24 Jul 2002, Tony Wong wrote:
How do I create a rule to alert terminal service access Alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"Terminal Services access"; ...... ... Then I don't know what to put in between () Thanks
Two rules are in snortrules-current (sid 1447 and 1448). Personally, I also find these useful: alert tcp any any -> any 3389 (msg: "RDP connection request"; \ content: "|03|"; offset: 0; depth: 1; \ content: "|E0|"; offset: 5; depth: 1; flags: A+;) alert tcp any 3389 -> any any (msg: "RDP connection confirm"; \ content: "|03|"; offset: 0; depth: 1; \ content: "|D0|"; offset: 5; depth: 1; flags: A+;) alert tcp any any -> any 3389 (msg: "RDP disconnect request"; content: "|03|"; offset: 0; depth: 1; \ content: "|80|"; offset: 5; depth: 1; flags: A+;) alert tcp any any <> any 3389 (msg: "RDP error packet"; content: "|03|"; offset: 0; depth: 1; \ content: "|70|"; offset: 5; depth: 1; flags: A+;) Search the snort-sigs archive for more info. /Andreas ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Terminal services signature Tony Wong (Jul 24)
- Re: Terminal services signature Andreas Östling (Jul 24)
- <Possible follow-ups>
- RE: Terminal services signature McCammon, Keith (Jul 24)