[Snort-sigs] Creating a rule for RDP

Simon Wesseldine simon.wesseldine at ...3930...
Mon Feb 9 05:57:22 EST 2015


Jason,

 

although I will not be able to provide you with the exact answer, I do have
advice on how I would tackle the problem.

I would use Wireshark to analyse the Client Server connections whilst you
perform some distinct operations. Then compare the encrypted conversations
in Wireshark, to see if you can identify the different processes taking
place. If you are able to identify different patterns and make valid
statements about those differences, then you should be able to write some
Snort rules. e.g. Byte 3, 5 and 7 coming from the Server are values \x08,
\x4f and \xf0, for every failed log in attempt, etc.

 

Obviously, if you cannot correctly identify the failed log in attempts from
the encrypted traffic, then this method will not be possible.

I hope that helps, good luck.

 

Best regards,

Simon.

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150209/df1d7cad/attachment.html>


More information about the Snort-sigs mailing list