[Snort-sigs] Creating a rule for RDP

Johnathan Wiltberger johwiltb at ...2420...
Mon Feb 9 16:41:54 EST 2015


Does RDP re-establish a session with each login attempt?  Because if not,
this may not be a valid attempt to find failed passwords.  I'd test it but
I don't have a system to test on right now, however it may be important to
think about how the protocol behaves on login attempts.


- John Wiltberger

On Mon, Feb 9, 2015 at 12:33 PM, Barry Bahrami <
Barry at ...4001...> wrote:

> We have a firewall rule setup to block six connections to TCP3389 from the
> same IP in a 10 second window.  it works pretty well.
>
>
>
> Barry Bahrami
>
>
>
>
>
> *From:* Samuel M Westerfeld [mailto:sam at ...2156...]
> *Sent:* Saturday, February 07, 2015 12:07 AM
> *To:* snort-sigs at lists.sourceforge.net
> *Subject:* Re: [Snort-sigs] Creating a rule for RDP
>
>
>
> No need to reinvent the wheel. This can (and should) be done through Group
> Policy or Local Security Policy in Windows.
>
> On Feb 7, 2015 1:36 AM, "Dave Killion" <dave.killion at ...2420...> wrote:
>
> While that's true - RDP is encrypted - a poor man's brute-force detection
> is to detect n-connections in y seconds between IP peers.  Say... 5
> connections in 10 seconds?
>
> A real user wouldn't go that fast unless they were rapidly trying
> credentials, and a script would go much faster.   You may need to tune the
> interval, however, to something that makes sense in your network.
>
> Yes, this has problems with NAT, and yes, it has problems with slow brute,
> but... It's better than nothing, and I know with certainty that many
> commercial IDS' do exactly this.
>
> Dave Killion
>
>
> > On Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar at ...3686...> wrote:
> >
> >> On 23/01/15 12:06, Richard Giles wrote:
> >> Hello,
> >>
> >> I am trying to write a simple snort rule that will block RDP traffic if
> the password is failed more then 3-5 times. I have been experimenting using
> something like the following:
> >>
> > As far as I'm aware RDP is a fully encrypted channel, so any failed
> login messages are sent by the server to the client over that encrypted
> channel. In other words, it's just like SSH
> >
> > ie snort can't read it.
> >
> > The only way I can think of to detect RDP failed logins is to monitor
> the eventlogs of Windows servers for failed login events :-(
> > --
> > Cheers
> >
> > Jason Haar
> > Corporate Information Security Manager, Trimble Navigation Ltd.
> > Phone: +1 408 481 8171
> > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150209/8dd06bd0/attachment.html>


More information about the Snort-sigs mailing list