[Snort-sigs] WinXP remote desktop rules--newbie help

John York YorkJ at ...855...
Fri Jun 27 07:41:02 EDT 2003

Thanks Andreas--that was really helpful.  It looks like WinXP remote desktop follows most of the things in your post, http://www.geocrawler.com/archives/3/6752/2002/3/50/8170634/

The connection confirm and connection request rules work fine.  The disconnect request does not--I couldn't find any packets with that set, so MS must have changed the protocol there.

SID 1447 doesn't fire on WinXP remote desktop.  It includes the rdp packet length and MS has added a cookie, previous user name, which changed the length.

SID 1448 should have fired--apparently I have something messed up with my $HOME_NET and $EXTERNAL_NET.  When I changed them to any, it did fire.

For the dl, here's some info Andreas led me to:
TPDU packet header info from http://www.rdesktop.org/docs/rfc2126.html which appears to work for RDP:

   A TPKT consists of two part:

   - a Packet Header

   - a TPDU.

   The format of the Packet Header is constant regardless of the type of
   TPDU. The format of the Packet Header is as follows:

   |version |reserved| packet length  |             TPDU             |
   <8 bits> <8 bits> <   16 bits    > <       variable length       >


   - Protocol Version Number
     length: 8 bits
     Value:  3

   - Reserved
     length: 8 bits
     Value:  0 - (See 'Notes to Implementors' section 6.10)

   - Packet Length
     length: 16 bits
     Value:  Length of the entire TPKT in octets, including Packet

   - TPDU
     ISO Transport TPDU as defined in ISO 8073 and as defined in this

Andreas' info from rdesktop source:
/* ISO PDU codes */
        ISO_PDU_CR = 0xE0, /* Connection Request */
        ISO_PDU_CC = 0xD0, /* Connection Confirm */
        ISO_PDU_DR = 0x80, /* Disconnect Request */
        ISO_PDU_DT = 0xF0, /* Data */
        ISO_PDU_ER = 0x70  /* Error */
(This shows up in the 2nd byte of the TPDU, 6th byte of the L3 payload. Jy)

Andreas' rules (updated with flow, vs A+):
Incoming RDP connection request:
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "RDP connection
request"; content: "|03|"; offset: 0; depth: 1; content: "|E0|"; offset: 5; 
depth: 1; flow: to_server;)

Outgoing RDP connection confirm:
alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg: "RDP connection
confirm"; content: "|03|"; offset: 0; depth: 1; content: "|D0|"; offset: 5; 
depth: 1; flow: from_server;)

Incoming RDP disconnect request:
(WinXP remote desktop doesn't appear to use this, so the rule didn't fire)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "RDP disconnect
request"; content: "|03|"; offset: 0; depth: 1; content: "|80|"; offset: 5; 
depth: 1; flags: A+;)


Thanks for Oinkmaster, too!  It's great!

John York
Network Engineer
Blue Ridge Community College
1 College Lane, Weyers Cave, VA 24486

> -----Original Message-----
> From: Andreas Östling [mailto:andreaso at ...58...]
> Sent: Friday, June 27, 2003 3:52 AM
> To: John York
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] WinXP remote desktop rules--newbie help
> On Thursday 26 June 2003 23.05, John York wrote:
> > Does anyone have rules that log WinXP remote desktop sessions starting
> > and stopping?
> Perhaps this is still useful:
> http://www.geocrawler.com/archives/3/6752/2002/3/50/8170634/
> And there is also sid 1447, "MISC MS Terminal server request (RDP)".
> /Andreas

More information about the Snort-sigs mailing list