[Snort-users] Terminal services signature

Andreas Östling andreaso at ...236...
Wed Jul 24 13:20:04 EDT 2002


On Wed, 24 Jul 2002, Tony Wong wrote:

> How do I create a rule to alert terminal service access
>
> Alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"Terminal Services
> access"; ......
>
>
> ... Then I don't know what to put in between ()
>
>
> Thanks

Two rules are in snortrules-current (sid 1447 and 1448).

Personally, I also find these useful:

alert tcp any any -> any 3389 (msg: "RDP connection request"; \
content: "|03|"; offset: 0; depth: 1; \
content: "|E0|"; offset: 5; depth: 1; flags: A+;)

alert tcp any 3389 -> any any (msg: "RDP connection confirm"; \
content: "|03|"; offset: 0; depth: 1; \
content: "|D0|"; offset: 5; depth: 1; flags: A+;)

alert tcp any any -> any 3389 (msg: "RDP disconnect request";
content: "|03|"; offset: 0; depth: 1; \
content: "|80|"; offset: 5; depth: 1; flags: A+;)

alert tcp any any <> any 3389 (msg: "RDP error packet";
content: "|03|"; offset: 0; depth: 1; \
content: "|70|"; offset: 5; depth: 1; flags: A+;)


Search the snort-sigs archive for more info.

/Andreas






More information about the Snort-users mailing list