[Snort-users] MS Terminal Server Requests

Hicks, John JHicks at ...5857...
Fri Dec 20 11:05:05 EST 2002

> SID 1447 - MISC MS Terminal server request (RDP) 

AFAIK, this sig is for simple Terminal Server connections, and nowhere does
it mention 'malformed' requests. This rule works without even being logging
in, but simply the Remote Client talking to the TS as telnetting doesn't
produce the same alert.

I just tested on a production server by connecting and not logging in or
touching anythign at that point, and I received a single alert as usual.
Proceeding to use TS produces 0 extra alerts.


-----Original Message-----
From: Parker, Ian [mailto:parker.ian at ...6018...]
Sent: Friday, December 20, 2002 1:28 PM
To: 'snort-users at lists.sourceforge.net'
Subject: [Snort-users] MS Terminal Server Requests

I was wondering who created the experimental Snort rule for detecting
malformed RDP packets in an MS terminal server request, SID 1447, and how
they came up with that particular payload. The reason I'm curious is that
every RDP packet to my terminal servers has this payload, so the rule gets
triggered all the time.

Ian Parker, GCWN

Senior Systems Analyst
Upgrading Plant Computing
Syncrude Canada Ltd

parker.ian at ...6018...

This SF.NET email is sponsored by:  The Best Geek Holiday Gifts!
Time is running out!  Thinkgeek.com has the coolest gifts for
your favorite geek.   Let your fingers do the typing.   Visit Now.
T H I N K G E E K . C O M        http://www.thinkgeek.com/sf/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list