[Snort-users] MS Terminal Server Requests

Knight, Ric RKnight at ...7145...
Fri Dec 20 10:59:07 EST 2002


Ian, 

I think the point of the rule is to notify that the access occurred from
somewhere externally to somewhere in your home network. If both the client
and the server are defined as part of your $HOME_NET you shouldn't get the
alerts. 

As to the author... beats me...

Cheers
-Ric 

-----Original Message-----
From: Parker, Ian [mailto:parker.ian at ...6018...]
Sent: December 20, 2002 1:28 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] MS Terminal Server Requests


I was wondering who created the experimental Snort rule for detecting
malformed RDP packets in an MS terminal server request, SID 1447, and how
they came up with that particular payload. The reason I'm curious is that
every RDP packet to my terminal servers has this payload, so the rule gets
triggered all the time.

Ian Parker, GCWN

Senior Systems Analyst
Upgrading Plant Computing
Syncrude Canada Ltd

(780)790-4631
parker.ian at ...6018...



-------------------------------------------------------
This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list