[Snort-sigs] Creating a rule for RDP

Samuel M Westerfeld sam at ...2156...
Sat Feb 7 03:06:48 EST 2015


No need to reinvent the wheel. This can (and should) be done through Group
Policy or Local Security Policy in Windows.
On Feb 7, 2015 1:36 AM, "Dave Killion" <dave.killion at ...2420...> wrote:

> While that's true - RDP is encrypted - a poor man's brute-force detection
> is to detect n-connections in y seconds between IP peers.  Say... 5
> connections in 10 seconds?
>
> A real user wouldn't go that fast unless they were rapidly trying
> credentials, and a script would go much faster.   You may need to tune the
> interval, however, to something that makes sense in your network.
>
> Yes, this has problems with NAT, and yes, it has problems with slow brute,
> but... It's better than nothing, and I know with certainty that many
> commercial IDS' do exactly this.
>
> Dave Killion
>
>
> > On Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar at ...3686...> wrote:
> >
> >> On 23/01/15 12:06, Richard Giles wrote:
> >> Hello,
> >>
> >> I am trying to write a simple snort rule that will block RDP traffic if
> the password is failed more then 3-5 times. I have been experimenting using
> something like the following:
> >>
> > As far as I'm aware RDP is a fully encrypted channel, so any failed
> login messages are sent by the server to the client over that encrypted
> channel. In other words, it's just like SSH
> >
> > ie snort can't read it.
> >
> > The only way I can think of to detect RDP failed logins is to monitor
> the eventlogs of Windows servers for failed login events :-(
> > --
> > Cheers
> >
> > Jason Haar
> > Corporate Information Security Manager, Trimble Navigation Ltd.
> > Phone: +1 408 481 8171
> > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150207/61935fe1/attachment.html>


More information about the Snort-sigs mailing list