[Snort-sigs] " ..MS Terminal Server no encryption.. " misfire?

Nigel Houghton nigel at ...435...
Fri Aug 27 11:19:14 EDT 2004


On  0, Ben Dugdale <ben.dugdale at ...2751...> allegedly wrote:
> The "... MS Terminal Server no encryption session initiation attmept"
> rule seems to be misfiring.
> 
> False Positives:
> Connect to a MS Server using rdesktop.
> 
> The rdesktop man page seems to indicate that default use is encrypted.
> 
> >From the rdesktop man page...
> 
>        -e     Disable encryption.  This option is only needed (and will only work) if  you
>               have a French version of NT TSE.
> 
>        -E     Disable  encryption  from  client  to server.  This sends an encrypted login
>               packet, but everything after  this  is  unencrypted  (including  interactive
>               logins).
> 
> Either the rule is misfiring or rdesktop is not behaving as advertised. Evidence suggests a misfire.
> 
> --

Please send packet capture data to support your findings.

+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+




More information about the Snort-sigs mailing list