Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Policy VNC server response

From: hchlai () netscape net (Hin)
Date: Wed, 28 Sep 2005 09:36:42 -0400
Hi Snorters, 

A quick question on the below signature. From what I understand, the below signature will detect the response traffic 
of a VNC server, which means the source address of the alert should be where the VNC server is, right? 
What would the reason be if I see the VNC server in the destination address field of the alert?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; 
depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)

Hin

__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp


-------------------------------------------------------
This SF.Net email is sponsored by:
Power Architecture Resource Center: Free content, downloads, discussions,
and more. http://solutions.newsforge.com/ibmarch.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: