trouble with RDP rules

[Сергей Малинкин <malinkinsa () gmail com>]

Hello friends!

In one subnet can not collect rdp events in snort.

I using next rules:

alert tcp any any -> any 3389 (msg:"ET POLICY RDP connection request";
flow: to_server,established; content:"|03|"; offset: 0; depth: 1;
content:"|E0|"; offset: 5; depth: 1; reference:url,
doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329;
rev:8;)

alert tcp any 3389 -> any any (msg:"ET POLICY RDP connection confirm";
flow: from_server,established; content:"|03|"; offset: 0; depth: 1;
content:"|D0|"; offset: 5; depth: 1; reference:url,
doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330;
rev:8;)

alert tcp any any -> any 3389 (msg:"ET POLICY RDP disconnect request";
flow: to_server,established; content:"|03|"; offset: 0; depth: 1;
content:"|80|"; offset: 5; depth: 1; reference:url,
doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331;
rev:8;)

If i collect data from tcpdump and sort by my ip i see next result:

10:53:14.803778 IP my_ip.cyaserv > hostname.local.ms-wbt-server:   Flags
[P.], seq 14366:14407, ack 48920, win 64805, length 41

10:53:14.804046 IP hostname.local.ms-wbt-server > my_ip.cyaserv:   Flags
[P.], seq 48920:48967, ack 14407, win 64735, length 47


Where my_ip - ip of my workstation with which I am connecting. And hostname
- target workstation.

How i can use snort for collect this event.

Thx!

------------------------------------------------------------------------------
Time is money. Stop wasting it! Get your web API in 5 minutes.
www.restlet.com/download
http://p.sf.net/sfu/restlet

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!