[Snort-sigs] MS Terminal Services Signature

Eric Appelboom eric at ...322...
Sat Jan 26 00:08:02 EST 2002

I am looking for some help to create a snort signature to detect failed
authentication attempts
With Terminal Services to a Windows 2000\XP host (TCP 3389)

Sniffing the response is difficult for Terminal Services will encrypt
traffic with 128-bit if the 128-bit client is used. 
It will also connect using a 40-bit or 56-bit key if that is what the
server is using.

The sniff below can reliably detect when someone connects and
disconnects from the server 
but I am looking for the response when the server rejects the client
after 5 failed login attempts.

C:\>windump "tcp dst port 3389 and tcp[13] & 3 !=0"
windump: listening
10:46:56.550356 myhost.27113 > desthost.3389: S 320008016
8:3200080168(0) win 64240 <mss 1460,nop,nop,sackOK> (DF)
10:47:28.378500 myhost.27113 > desthost.3389: F 320010896
9:3200108969(0) ack 3434405349 win 63009 (DF)

I am not refering to the TSAC high-encryption RDP client just vanilla TS

Eric Appelboom
Information Security

*** Disclaimer: The information in this email is confidential and is
intended solely for the addressee(s). Access to this email by anyone
else is unauthorised. If you are not an intended recipient, you must not
read, forward, print, use or disseminate the information contained in
the email. Any representations (contractual or otherwise), views or
opinions presented are solely those of the author and do not necessarily
represent those of the employer or any of its affiliates.

More information about the Snort-sigs mailing list