[Snort-sigs] POLICY VNC server response

Sam Adams drunkzebra at ...12...
Tue Dec 30 07:50:42 EST 2003


Wouldn't this signature be more useful:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY VNC server 
response"; flow:established, from_server; content:"RFB 0"; offset:0; 
depth:5; content:".0"; offset:7; depth:2; classtype:misc-activity; sid:560; 
rev:5;)

than the current one:

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server 
response"; flow:established; content:"RFB 0"; offset:0; depth:5; 
content:".0"; offset:7; depth:2; classtype:misc-activity; sid:560; rev:5;)

With the new one - we could detect internal VNC servers as opposed to 
external ones. Most security policies probably aren't concerned with 
internal hosts accessing external VNC servers, while having an external host 
access an internal VNC server would violate almost any policy.

_________________________________________________________________
Worried about inbox overload? Get MSN Extra Storage now!  
http://join.msn.com/?PAGE=features/es





More information about the Snort-sigs mailing list