[Snort-sigs] updated MS-RDP signature?
andreaso at ...58...
Fri Oct 31 10:25:16 EST 2003
I'm not sure what RDP sig you're referring to.
The only RDP sigs I can find are sid 1447 and 1448 and they are not based
only on port numbers. Anyway, you may find these useful as well:
On Thu, 30 Oct 2003, Charles Hamby wrote:
> I've noticed that the existing rule for the Remote Desktop Protocol seems to
> result in an unusually high number of FPs. I'm assuming that it's because
> it's based strictly on the port number as opposed to any sort of content or
> anything else. Before I sit down and start attempting to hash out a new
> signature, I was wondering if anyone out there had already developed one (I
> hate re-inventing the wheel if I don't have to).
> Charles Hamby
More information about the Snort-sigs