[Snort-sigs] POLICY VNC server response

Nigel Houghton nigel at ...435...
Tue Dec 30 08:32:14 EST 2003

Around Yesterday Sam Adams said:

SA :Wouldn't this signature be more useful:
SA :
SA :alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY VNC server
SA :response"; flow:established, from_server; content:"RFB 0"; offset:0;
SA :depth:5; content:".0"; offset:7; depth:2; classtype:misc-activity; sid:560;
SA :rev:5;)
SA :
SA :than the current one:
SA :
SA :alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server
SA :response"; flow:established; content:"RFB 0"; offset:0; depth:5;
SA :content:".0"; offset:7; depth:2; classtype:misc-activity; sid:560; rev:5;)
SA :
SA :With the new one - we could detect internal VNC servers as opposed to
SA :external ones. Most security policies probably aren't concerned with
SA :internal hosts accessing external VNC servers, while having an external host
SA :access an internal VNC server would violate almost any policy.

I would think both rules might be useful.

Nigel Houghton        Security Research Engineer        Sourcefire Inc.
                     Vulnerability Research Team

"In an emergency situation involving two or more officers of equal rank,
seniority will be granted to whichever officer can program a vcr."

More information about the Snort-sigs mailing list