[Snort-users] VNC Rule

sekure sekure at ...11827...
Thu Aug 12 06:35:01 EDT 2004


Play around with suppression and suppress the rules you want based on
source or destination networks.


----- Original Message -----
From: jonasb at ...7872... <jonasb at ...7872...>
Date: Thu, 12 Aug 2004 05:51:29 -0700
Subject: [Snort-users] VNC Rule
To: snort-users at lists.sourceforge.net

Hi -

I know that rule 560 in the default Snort ruleset detects VNC traffic
- but it seems to detect two packets per server connection: one from
the server responding to the connection and one from the client back
to the server. I need to detect traffic in only one direction.

I need to check for two types of VNC connections - One of them being
an MIS rule where I detect responses to management clients, and the
other (more serious), where I detect VNC connections initiated by
clients outside of the management subnet i.e. if mgmt is
192.168.0.0/24, then I'd want a rule from ANY to [192.168.0.0/24] and
one from ANY to ![192.168.0.0/24]

The problem is that since the existing VNC rule logs two packets (one
in each direction), I get two alerts for an MIS outbound connection
(i.e. both rules above are triggered, the first for the server
response to MIS, and the second because the client's response is
detected.

I could just change ANY in the second rule to ![192.168.0.0/24], but
then I wouldn't detect server responses from MIS clients (even more
important). Does anybody have a VNC rule that will only log the
server's response (one packet per session initation)?

Thanks
B




More information about the Snort-users mailing list