Snort mailing list archives
Re: Re: [Snort-users] VNC Failed Login
From: Jose Maria Lopez <jkerouac () bgsec com>
Date: 03 Sep 2004 19:41:43 +0200
El vie, 03 de 09 de 2004 a las 01:03, Nigel Houghton escribió:
On 0, Frank Knobbe <frank () knobbe us> allegedly wrote:On Thu, 2004-09-02 at 13:26, sekure wrote:Saw a warning on isc.sans.org about brute force VNC login attempts and couldn't really find any rules to detect it, so I threw together this one: alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login"; flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|"; content:"Authentication|20|failure"; classtype:unsuccessful-user; sid:1000001; rev:1;)VNC does not only operate on port 5900 (that's display :0), but also on other ports up to 5999. Where are those port lists when you need them :)Port _ranges_ do exist. $HOME_NET 5900:5903 would take care of 4 displays. You might be increasing the likelihood of false positives though. +-------------------------------------------------------------------------+ Nigel Houghton Research Engineer Sourcefire Inc. Vulnerability Research Team "Dude, dolphins are intelligent and friendly!" - Wendy "Intelligent and friendly on rye bread, with some mayonaise." - Cartman +-------------------------------------------------------------------------+
I think it can use the 5801 and up ports to communicate and even the 6001 (the ones from X) and up to communicate. I block them all. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac () bgsec com bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÑA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road" ------------------------------------------------------- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_idP47&alloc_id808&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VNC Failed Login sekure (Sep 02)
- Re: VNC Failed Login Frank Knobbe (Sep 02)
- Re: Re: [Snort-users] VNC Failed Login Nigel Houghton (Sep 02)
- Re: Re: [Snort-users] VNC Failed Login Jose Maria Lopez (Sep 03)
- Re: Re: [Snort-users] VNC Failed Login Nigel Houghton (Sep 02)
- snort-inline on HP-UX prabu (Sep 02)
- Re: VNC Failed Login Frank Knobbe (Sep 02)