[Snort-users] VNC Rule

sekure sekure at ...11827...
Thu Aug 12 06:35:01 EDT 2004

Play around with suppression and suppress the rules you want based on
source or destination networks.

----- Original Message -----
From: jonasb at ...7872... <jonasb at ...7872...>
Date: Thu, 12 Aug 2004 05:51:29 -0700
Subject: [Snort-users] VNC Rule
To: snort-users at lists.sourceforge.net

Hi -

I know that rule 560 in the default Snort ruleset detects VNC traffic
- but it seems to detect two packets per server connection: one from
the server responding to the connection and one from the client back
to the server. I need to detect traffic in only one direction.

I need to check for two types of VNC connections - One of them being
an MIS rule where I detect responses to management clients, and the
other (more serious), where I detect VNC connections initiated by
clients outside of the management subnet i.e. if mgmt is, then I'd want a rule from ANY to [] and
one from ANY to ![]

The problem is that since the existing VNC rule logs two packets (one
in each direction), I get two alerts for an MIS outbound connection
(i.e. both rules above are triggered, the first for the server
response to MIS, and the second because the client's response is

I could just change ANY in the second rule to ![], but
then I wouldn't detect server responses from MIS clients (even more
important). Does anybody have a VNC rule that will only log the
server's response (one packet per session initation)?


More information about the Snort-users mailing list