No subject


Thu Nov 23 16:34:03 EST 2017


/* ISO PDU codes */
enum ISO_PDU_CODE
{
        ISO_PDU_CR =3D 0xE0, /* Connection Request */
        ISO_PDU_CC =3D 0xD0, /* Connection Confirm */
        ISO_PDU_DR =3D 0x80, /* Disconnect Request */
        ISO_PDU_DT =3D 0xF0, /* Data */
        ISO_PDU_ER =3D 0x70  /* Error */
};

And then the first byte, the protocol version number, is currently always 3=
=20
(please correct me if I'm wrong). From that, I find these experimental rules
very useful:


Incoming RDP connection request:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "RDP connection
request"; content: "|03|"; offset: 0; depth: 1; content: "|E0|"; offset: 5;=
=20
depth: 1; flags: A+;)


Outgoing RDP connection confirm:

alert tcp $HOME_NET 3389 -> $EXTERNAL_NET any (msg: "RDP connection
confirm"; content: "|03|"; offset: 0; depth: 1; content: "|D0|"; offset: 5;=
=20
depth: 1; flags: A+;)


Incoming RDP disconnect request:

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "RDP disconnect
request"; content: "|03|"; offset: 0; depth: 1; content: "|80|"; offset: 5;=
=20
depth: 1; flags: A+;)


I'm sure you can also create other useful RDP rules, but these are good=20
enough for me right now.

Comments/suggestions/flames?

Regards,
Andreas =D6stling, andreaso at ...58...




More information about the Snort-sigs mailing list