Re: Creating a rule for RDP

[Scott Savarese <scott.savarese () vitals com>]

Richard, I’m brand new to snort and haven’t tried this… so don’t take my work on this…

Why not do it in two parts. The first part defines the alert. I’m going to use telnet as the example. Its stock in my 
rules, so I would think you have it too.

alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; 
content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;)

Then you need to throttle it: http://manual.snort.org/node19.html <http://manual.snort.org/node19.html>. It talks about 
rate limitting. In the case above the gen_id is 1 and sig_id is 492. But you can set the rate filter action to 
drop/reject.
    rate_filter \
        gen_id <gid>, sig_id <sid>, \
        track <by_src|by_dst|by_rule>, \
        count <c>, seconds <s>, \
        new_action alert|drop|pass|log|sdrop|reject, \
        timeout <seconds> \
        [, apply_to <ip-list>]

Scott 

> On Jan 23, 2015, at 10:45 AM, Richard Giles <rgiles () trioptek net> wrote:
>
> Anyone maybe have an example of a rule that blocks or drops the traffic. I am interested specifically in blocking RDP 
> traffic after a password is failed more then 3 times.
>
> Thanks in advance,
>
>
>  
> Richard Giles | Trioptek Solutions, Inc. 
> rgiles () trioptek com <mailto:rgiles () trioptek com> | www.trioptek.com <http://www.trioptek.com/>
> Office: (469) 277-2686 ext: 102
> Support: http://support.trioptek.net <http://support.trioptek.net/>
> LinkedIn: linkedin.com/in/gilesrichard <http://linkedin.com/in/gilesrichard>
>  
>
> On Thu, Jan 22, 2015 at 5:06 PM, Richard Giles <rgiles () trioptek net <mailto:rgiles () trioptek net>> wrote:
> Hello,
>
> I am trying to write a simple snort rule that will block RDP traffic if the password is failed more then 3-5 times. I 
> have been experimenting using something like the following:
>
> drop tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"Incoming RDP Failure!"; flow:to_server,established; count 2, 
> seconds 60;classtype:misc-activity; sid:10001; rev:2;
>
> This will log an event to Snorby, but it won't block me from trying again. 
>
> Does anyone have any experience with setting up RDP rules?
>
> Please let me know.
>
> Thanks in advance, 
>  
> Richard Giles | Trioptek Solutions, Inc. 
> rgiles () trioptek com <mailto:rgiles () trioptek com> | www.trioptek.com <http://www.trioptek.com/>
> Office: (469) 277-2686 <tel:%28469%29%20277-2686> ext: 102
> Support: http://support.trioptek.net <http://support.trioptek.net/>
> LinkedIn: linkedin.com/in/gilesrichard <http://linkedin.com/in/gilesrichard>
>  
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet_______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!