Re: Creating a rule for RDP

[Richard Giles <rgiles () trioptek net>]

Anyone maybe have an example of a rule that blocks or drops the traffic. I
am interested specifically in blocking RDP traffic after a password is
failed more then 3 times.

Thanks in advance,



*Richard Giles | Trioptek Solutions, Inc. *
rgiles () trioptek com | www.trioptek.com
Office: (469) 277-2686 ext: 102
Support: http://support.trioptek.net
LinkedIn: linkedin.com/in/gilesrichard


On Thu, Jan 22, 2015 at 5:06 PM, Richard Giles <rgiles () trioptek net> wrote:

> Hello,
>
> I am trying to write a simple snort rule that will block RDP traffic if
> the password is failed more then 3-5 times. I have been experimenting using
> something like the following:
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"Incoming RDP Failure!";
> flow:to_server,established; count 2, seconds 60;classtype:misc-activity;
> sid:10001; rev:2;
>
> This will log an event to Snorby, but it won't block me from trying again.
>
> Does anyone have any experience with setting up RDP rules?
>
> Please let me know.
>
> Thanks in advance,
>
> *Richard Giles | Trioptek Solutions, Inc. *
> rgiles () trioptek com | www.trioptek.com
> Office: (469) 277-2686 ext: 102
> Support: http://support.trioptek.net
> LinkedIn: linkedin.com/in/gilesrichard
------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!