[Snort-sigs] Creating a rule for RDP

Johnathan Wiltberger johwiltb at ...2420...
Sat Feb 7 07:22:45 EST 2015


If someone wanted to, though, could you look at the response size coming
back?

As in, a failed login for RDP is A bytes, a successful login is B bytes (or
maybe just ~A), then if you see your server response be A bytes 3 times,
then trigger a block on the source IP.  Not the best technique maybe, but
it was one of the ways I would try to detect failed SSH logins a while ago.

John Wiltberger

On Sat, Feb 7, 2015 at 3:06 AM, Samuel M Westerfeld <sam at ...2156...> wrote:

> No need to reinvent the wheel. This can (and should) be done through Group
> Policy or Local Security Policy in Windows.
> On Feb 7, 2015 1:36 AM, "Dave Killion" <dave.killion at ...2420...> wrote:
>
>> While that's true - RDP is encrypted - a poor man's brute-force detection
>> is to detect n-connections in y seconds between IP peers.  Say... 5
>> connections in 10 seconds?
>>
>> A real user wouldn't go that fast unless they were rapidly trying
>> credentials, and a script would go much faster.   You may need to tune the
>> interval, however, to something that makes sense in your network.
>>
>> Yes, this has problems with NAT, and yes, it has problems with slow
>> brute, but... It's better than nothing, and I know with certainty that many
>> commercial IDS' do exactly this.
>>
>> Dave Killion
>>
>>
>> > On Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar at ...3686...> wrote:
>> >
>> >> On 23/01/15 12:06, Richard Giles wrote:
>> >> Hello,
>> >>
>> >> I am trying to write a simple snort rule that will block RDP traffic
>> if the password is failed more then 3-5 times. I have been experimenting
>> using something like the following:
>> >>
>> > As far as I'm aware RDP is a fully encrypted channel, so any failed
>> login messages are sent by the server to the client over that encrypted
>> channel. In other words, it's just like SSH
>> >
>> > ie snort can't read it.
>> >
>> > The only way I can think of to detect RDP failed logins is to monitor
>> the eventlogs of Windows servers for failed login events :-(
>> > --
>> > Cheers
>> >
>> > Jason Haar
>> > Corporate Information Security Manager, Trimble Navigation Ltd.
>> > Phone: +1 408 481 8171
>> > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>> >
>> ------------------------------------------------------------------------------
>> > Dive into the World of Parallel Programming. The Go Parallel Website,
>> > sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> > hub for all things parallel software development, from weekly thought
>> > leadership blogs to news, videos, case studies, tutorials and more.
>> Take a
>> > look and join the conversation now. http://goparallel.sourceforge.net/
>> > _______________________________________________
>> > Snort-sigs mailing list
>> > Snort-sigs at lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> > http://www.snort.org
>> >
>> >
>> > Please visit http://blog.snort.org for the latest news about Snort!
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming. The Go Parallel Website,
>> sponsored by Intel and developed in partnership with Slashdot Media, is
>> your
>> hub for all things parallel software development, from weekly thought
>> leadership blogs to news, videos, case studies, tutorials and more. Take a
>> look and join the conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150207/d554561e/attachment.html>


More information about the Snort-sigs mailing list