[Snort-sigs] rule documentation for MISC Invalid PCAnywhere Login

Josh.Sakofsky at ...1573... Josh.Sakofsky at ...1573...
Mon Jun 9 08:26:04 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: MISC Invalid PCAnywhere Login

--
Sid: 511

--
Summary: A remote user has unsuccessfully tried to login to an internal 
box running PCAnywhere.

--
Impact: Minimal

--
Detailed Information: PCAnywhere is a remote control service for Windows 
hosts that typically runs on port 5631.
PCAnywhere acts like an X server and gives a remote user the ability to 
see the host's screen. 
If a user fails to correctly login to the PCAnywhere, the service sends a 
packet containing the phrase "Invalid Login".

--
Affected Systems: Windows boxes running PCAnywhere.

--
Attack Scenarios: An attacker may be attempting to run a brute force 
attack on the host.

--
Ease of Attack: Easy

--
False Positives: None Known

--
False Negatives: None Known

--
Corrective Action: Disallow PCAnywhere from external sources.

--
Contributors: Original rule writer unknown.
              Josh Sakofsky
-- 
Additional References: N/A
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20030609/a5a9cd36/attachment.html>


More information about the Snort-sigs mailing list