[Snort-sigs] WinXP remote desktop rules--newbie help
YorkJ at ...855...
Thu Jun 26 14:06:10 EDT 2003
Does anyone have rules that log WinXP remote desktop sessions starting
and stopping? I believe remote desktop is just MS terminal
server/client, or a minor variant. When I sniff the sessions, about all
I can find to detect a login attempt is that the server has "/ RSA1H" in
the payload of one of the early replies when it sets up encryption.
Everything after that, including tear down, is either encrypted or in a
form I can't read.
I have these rules for login attempt and tear down, but they are pretty
crude. I'm monitoring the default port to cut down on falses.
alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"LOCAL Remote desktop
logon attempt \ response"; flow: from_server,established; content:
"|5c00|RSA1H"; depth: 320;)
(I'm planning to adjust it to offset: 128; depth: 64; but I haven't
tested it yet.)
alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"LOCAL Reset flag on
(A clumsy way to catch the end of the session.)
If you know a better way, I'd be happy to learn.
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486
More information about the Snort-sigs