[Snort-sigs] A few experimental RDP rules.
andreaso at ...58...
Thu Mar 21 06:07:05 EST 2002
I've been seeing a lot of hostile MS terminal services/RDP traffic lately.
The best RDP documentation seems to be the rdesktop source code
(http://www.rdesktop.org). The actual data in the RDP packets are hopefully
always encrypted, but we can still watch the RDP header and find out what
kind of packet it is (connection request/confirm etc), which is often enough
to catch hostile activities.
The sixth byte (starting at 1) in the RDP header is really interesting.
More information about the Snort-sigs