Snort mailing list archives
trouble with RDP rules
From: Сергей Малинкин <malinkinsa () gmail com>
Date: Wed, 28 May 2014 11:44:30 +0400
Hello friends! In one subnet can not collect rdp events in snort. I using next rules: alert tcp any any -> any 3389 (msg:"ET POLICY RDP connection request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|E0|"; offset: 5; depth: 1; reference:url, doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329; rev:8;) alert tcp any 3389 -> any any (msg:"ET POLICY RDP connection confirm"; flow: from_server,established; content:"|03|"; offset: 0; depth: 1; content:"|D0|"; offset: 5; depth: 1; reference:url, doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330; rev:8;) alert tcp any any -> any 3389 (msg:"ET POLICY RDP disconnect request"; flow: to_server,established; content:"|03|"; offset: 0; depth: 1; content:"|80|"; offset: 5; depth: 1; reference:url, doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331; rev:8;) If i collect data from tcpdump and sort by my ip i see next result: 10:53:14.803778 IP my_ip.cyaserv > hostname.local.ms-wbt-server: Flags [P.], seq 14366:14407, ack 48920, win 64805, length 41 10:53:14.804046 IP hostname.local.ms-wbt-server > my_ip.cyaserv: Flags [P.], seq 48920:48967, ack 14407, win 64735, length 47 Where my_ip - ip of my workstation with which I am connecting. And hostname - target workstation. How i can use snort for collect this event. Thx!
------------------------------------------------------------------------------ Time is money. Stop wasting it! Get your web API in 5 minutes. www.restlet.com/download http://p.sf.net/sfu/restlet
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- trouble with RDP rules Сергей Малинкин (May 28)