[Snort-sigs] updated MS-RDP signature?

Andreas Östling andreaso at ...58...
Fri Oct 31 10:25:16 EST 2003

I'm not sure what RDP sig you're referring to.
The only RDP sigs I can find are sid 1447 and 1448 and they are not based
only on port numbers. Anyway, you may find these useful as well:


On Thu, 30 Oct 2003, Charles Hamby wrote:

> I've noticed that the existing rule for the Remote Desktop Protocol seems to
> result in an unusually high number of FPs.  I'm assuming that it's because
> it's based strictly on the port number as opposed to any sort of content or
> anything else.  Before I sit down and start attempting to hash out a new
> signature, I was wondering if anyone out there had already developed one (I
> hate re-inventing the wheel if I don't have to).
> Charles Hamby

More information about the Snort-sigs mailing list