[Snort-sigs] False positive: MISC MS Terminal Server no encryption session initiation attempt (SID 2418)

Matthew Watchinski mwatchinski at ...435...
Fri Feb 9 11:49:31 EST 2007


Got pcap?

If so send it in to vrt < AT > sourcefire.com

and we'll give it a look.

The pcap may explain this, but is the session for RDP actually encrypted
and that is why it's a false positive?

Cheers,
-matt

Russell Fulton wrote:
> On 8/02/2007, at 3:39 AM, Stephan Scholz wrote:
> 
>> I'd like to report a false positive concerning Windows Remote Desktop.
>>
>>
>>
>> Rule:  MISC MS Terminal Server no encryption session initiation  
>> attempt
>>
>>
>> --
>> False Positives:
>> Update Windows XP SP2 client with optional update: "Remote Desktop  
>> Connection (Terminal Services Client 6.0) for Windows XP (KB925876)"
>> Connect to an RDP server. This will lead to a false positive.
> 
> Ah, so that's it!  I've been seeing these for some time and no one  
> could explain them.
> 
> Can this rule be tightened or should it be dropped?
> 
> Russell
> 
> 
> 
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list