[Snort-sigs] Creating a rule for RDP

Jason Haar Jason_Haar at ...3686...
Fri Feb 6 19:57:45 EST 2015

On 23/01/15 12:06, Richard Giles wrote:
> Hello,
> I am trying to write a simple snort rule that will block RDP traffic
> if the password is failed more then 3-5 times. I have been
> experimenting using something like the following:
As far as I'm aware RDP is a fully encrypted channel, so any failed
login messages are sent by the server to the client over that encrypted
channel. In other words, it's just like SSH

ie snort can't read it.

The only way I can think of to detect RDP failed logins is to monitor
the eventlogs of Windows servers for failed login events :-(


Jason Haar
Corporate Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150207/2409ead2/attachment.html>

More information about the Snort-sigs mailing list