[Snort-sigs] A few experimental RDP rules.

Andreas Östling andreaso at ...58...
Thu Mar 21 06:07:05 EST 2002


I've been seeing a lot of hostile MS terminal services/RDP traffic lately.
The best RDP documentation seems to be the rdesktop source code
(http://www.rdesktop.org). The actual data in the RDP packets are hopefully
always encrypted, but we can still watch the RDP header and find out what
kind of packet it is (connection request/confirm etc), which is often enough 
to catch hostile activities.

The sixth byte (starting at 1) in the RDP header is really interesting.

More information about the Snort-sigs mailing list