[Snort-sigs] Creating a rule for RDP

Barry Bahrami Barry at ...3978...
Mon Feb 9 12:33:05 EST 2015


We have a firewall rule setup to block six connections to TCP3389 from the 
same IP in a 10 second window.  it works pretty well.



Barry Bahrami





From: Samuel M Westerfeld [mailto:sam at ...2156...]
Sent: Saturday, February 07, 2015 12:07 AM
To: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Creating a rule for RDP



No need to reinvent the wheel. This can (and should) be done through Group 
Policy or Local Security Policy in Windows.

On Feb 7, 2015 1:36 AM, "Dave Killion" <dave.killion at ...2420...> wrote:

While that's true - RDP is encrypted - a poor man's brute-force detection is 
to detect n-connections in y seconds between IP peers.  Say... 5 connections 
in 10 seconds?

A real user wouldn't go that fast unless they were rapidly trying credentials, 
and a script would go much faster.   You may need to tune the interval, 
however, to something that makes sense in your network.

Yes, this has problems with NAT, and yes, it has problems with slow brute, 
but... It's better than nothing, and I know with certainty that many 
commercial IDS' do exactly this.

Dave Killion


> On Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar at ...3686...> wrote:
>
>> On 23/01/15 12:06, Richard Giles wrote:
>> Hello,
>>
>> I am trying to write a simple snort rule that will block RDP traffic if the 
>> password is failed more then 3-5 times. I have been experimenting using 
>> something like the following:
>>
> As far as I'm aware RDP is a fully encrypted channel, so any failed login 
> messages are sent by the server to the client over that encrypted channel. 
> In other words, it's just like SSH
>
> ie snort can't read it.
>
> The only way I can think of to detect RDP failed logins is to monitor the 
> eventlogs of Windows servers for failed login events :-(
> --
> Cheers
>
> Jason Haar
> Corporate Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171 <tel:%2B1%20408%20481%208171>
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150209/00715e91/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6107 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150209/00715e91/attachment.bin>


More information about the Snort-sigs mailing list