Snort mailing list archives
Policy VNC server response
From: hchlai () netscape net (Hin)
Date: Wed, 28 Sep 2005 09:36:42 -0400
Hi Snorters, A quick question on the below signature. From what I understand, the below signature will detect the response traffic of a VNC server, which means the source address of the alert should be where the VNC server is, right? What would the reason be if I see the VNC server in the destination address field of the alert? alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;) Hin __________________________________________________________________ Switch to Netscape Internet Service. As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register Netscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Policy VNC server response Hin (Sep 28)
- Re: Policy VNC server response Joel Esler (Sep 28)