Snort mailing list archives
Re: VNC Rule
From: sekure <sekure () gmail com>
Date: Thu, 12 Aug 2004 09:34:42 -0400
Play around with suppression and suppress the rules you want based on source or destination networks. ----- Original Message ----- From: jonasb () alum rpi edu <jonasb () alum rpi edu> Date: Thu, 12 Aug 2004 05:51:29 -0700 Subject: [Snort-users] VNC Rule To: snort-users () lists sourceforge net Hi - I know that rule 560 in the default Snort ruleset detects VNC traffic - but it seems to detect two packets per server connection: one from the server responding to the connection and one from the client back to the server. I need to detect traffic in only one direction. I need to check for two types of VNC connections - One of them being an MIS rule where I detect responses to management clients, and the other (more serious), where I detect VNC connections initiated by clients outside of the management subnet i.e. if mgmt is 192.168.0.0/24, then I'd want a rule from ANY to [192.168.0.0/24] and one from ANY to ![192.168.0.0/24] The problem is that since the existing VNC rule logs two packets (one in each direction), I get two alerts for an MIS outbound connection (i.e. both rules above are triggered, the first for the server response to MIS, and the second because the client's response is detected. I could just change ANY in the second rule to ![192.168.0.0/24], but then I wouldn't detect server responses from MIS clients (even more important). Does anybody have a VNC rule that will only log the server's response (one packet per session initation)? Thanks B ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VNC Rule jonasb (Aug 12)
- Re: VNC Rule sekure (Aug 12)
- Re: VNC Rule Alex Butcher, ISC/ISYS (Aug 13)