VNC Rule

[<jonasb () alum rpi edu>]

Hi -

I know that rule 560 in the default Snort ruleset detects VNC traffic -
but it seems to detect two packets per server connection: one from the
server responding to the connection and one from the client back to the
server. I need to detect traffic in only one direction.

I need to check for two types of VNC connections - One of them being an
MIS rule where I detect responses to management clients, and the other
(more serious), where I detect VNC connections initiated by clients
outside of the management subnet i.e. if mgmt is 192.168.0.0/24, then
I'd want a rule from ANY to [192.168.0.0/24] and one from ANY to
![192.168.0.0/24]

The problem is that since the existing VNC rule logs two packets (one in
each direction), I get two alerts for an MIS outbound connection (i.e.
both rules above are triggered, the first for the server response to
MIS, and the second because the client's response is detected. 

I could just change ANY in the second rule to ![192.168.0.0/24], but
then I wouldn't detect server responses from MIS clients (even more
important). Does anybody have a VNC rule that will only log the server's
response (one packet per session initation)?

Thanks
B