[Snort-sigs] WinXP remote desktop rules--newbie help

John York YorkJ at ...855...
Thu Jun 26 14:06:10 EDT 2003

Does anyone have rules that log WinXP remote desktop sessions starting
and stopping?  I believe remote desktop is just MS terminal
server/client, or a minor variant.  When I sniff the sessions, about all
I can find to detect a login attempt is that the server has "/ RSA1H" in
the payload of one of the early replies when it sets up encryption.
Everything after that, including tear down, is either encrypted or in a
form I can't read.

I have these rules for login attempt and tear down, but they are pretty
crude.  I'm monitoring the default port to cut down on falses.  

alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"LOCAL Remote desktop
logon attempt \ response";  flow: from_server,established; content:
"|5c00|RSA1H"; depth: 320;)
(I'm planning to adjust it to offset: 128; depth: 64; but I haven't
tested it yet.)

alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg:"LOCAL Reset flag on
3389";flags: R;)
(A clumsy way to catch the end of the session.)

If you know a better way, I'd be happy to learn.


John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486

More information about the Snort-sigs mailing list