Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: VNC Rule

From: sekure <sekure () gmail com>
Date: Thu, 12 Aug 2004 09:34:42 -0400
Play around with suppression and suppress the rules you want based on
source or destination networks.


----- Original Message -----
From: jonasb () alum rpi edu <jonasb () alum rpi edu>
Date: Thu, 12 Aug 2004 05:51:29 -0700
Subject: [Snort-users] VNC Rule
To: snort-users () lists sourceforge net

Hi -

I know that rule 560 in the default Snort ruleset detects VNC traffic
- but it seems to detect two packets per server connection: one from
the server responding to the connection and one from the client back
to the server. I need to detect traffic in only one direction.

I need to check for two types of VNC connections - One of them being
an MIS rule where I detect responses to management clients, and the
other (more serious), where I detect VNC connections initiated by
clients outside of the management subnet i.e. if mgmt is
192.168.0.0/24, then I'd want a rule from ANY to [192.168.0.0/24] and
one from ANY to ![192.168.0.0/24]

The problem is that since the existing VNC rule logs two packets (one
in each direction), I get two alerts for an MIS outbound connection
(i.e. both rules above are triggered, the first for the server
response to MIS, and the second because the client's response is
detected.

I could just change ANY in the second rule to ![192.168.0.0/24], but
then I wouldn't detect server responses from MIS clients (even more
important). Does anybody have a VNC rule that will only log the
server's response (one packet per session initation)?

Thanks
B


-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: