[Snort-sigs] Creating a rule for RDP

Dave Killion dave.killion at ...2420...
Sat Feb 7 02:35:22 EST 2015

While that's true - RDP is encrypted - a poor man's brute-force detection is to detect n-connections in y seconds between IP peers.  Say... 5 connections in 10 seconds?

A real user wouldn't go that fast unless they were rapidly trying credentials, and a script would go much faster.   You may need to tune the interval, however, to something that makes sense in your network. 

Yes, this has problems with NAT, and yes, it has problems with slow brute, but... It's better than nothing, and I know with certainty that many commercial IDS' do exactly this. 

Dave Killion

> On Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar at ...3686...> wrote:
>> On 23/01/15 12:06, Richard Giles wrote:
>> Hello,
>> I am trying to write a simple snort rule that will block RDP traffic if the password is failed more then 3-5 times. I have been experimenting using something like the following:
> As far as I'm aware RDP is a fully encrypted channel, so any failed login messages are sent by the server to the client over that encrypted channel. In other words, it's just like SSH
> ie snort can't read it.
> The only way I can think of to detect RDP failed logins is to monitor the eventlogs of Windows servers for failed login events :-(
> -- 
> Cheers
> Jason Haar
> Corporate Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

More information about the Snort-sigs mailing list