[Snort-sigs] MS RDP on non-standard port

James Lay jlay at ...3266...
Sun Jan 22 09:15:23 EST 2017

I see these scans semi regularly...usually the cookie is sometimes
blank, sometimes not:

alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"SCAN MS Terminal
Server taffic on Non-standard Port"; flow:to_server,established;
content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5;
depth:6; content:"Cookie|3a| mstshash="; pcre:"/Cookie\x3a mstshash=/";
classtype:attempted-recon; sid:xxxxxxxx; rev:1;)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170122/3faa6db6/attachment.html>

More information about the Snort-sigs mailing list