[Snort-users] VNC Rule
sekure at ...11827...
Thu Aug 12 06:35:01 EDT 2004
Play around with suppression and suppress the rules you want based on
source or destination networks.
----- Original Message -----
From: jonasb at ...7872... <jonasb at ...7872...>
Date: Thu, 12 Aug 2004 05:51:29 -0700
Subject: [Snort-users] VNC Rule
To: snort-users at lists.sourceforge.net
I know that rule 560 in the default Snort ruleset detects VNC traffic
- but it seems to detect two packets per server connection: one from
the server responding to the connection and one from the client back
to the server. I need to detect traffic in only one direction.
I need to check for two types of VNC connections - One of them being
an MIS rule where I detect responses to management clients, and the
other (more serious), where I detect VNC connections initiated by
clients outside of the management subnet i.e. if mgmt is
192.168.0.0/24, then I'd want a rule from ANY to [192.168.0.0/24] and
one from ANY to ![192.168.0.0/24]
The problem is that since the existing VNC rule logs two packets (one
in each direction), I get two alerts for an MIS outbound connection
(i.e. both rules above are triggered, the first for the server
response to MIS, and the second because the client's response is
I could just change ANY in the second rule to ![192.168.0.0/24], but
then I wouldn't detect server responses from MIS clients (even more
important). Does anybody have a VNC rule that will only log the
server's response (one packet per session initation)?
More information about the Snort-users