[Snort-users] VNC Failed Login

sekure sekure at ...11827...
Thu Sep 2 11:27:21 EDT 2004


Saw a warning on isc.sans.org about brute force VNC login attempts and
couldn't really find any rules to detect it, so I threw together this
one:

alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login";
flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|";
content:"Authentication|20|failure"; classtype:unsuccessful-user;
sid:1000001; rev:1;)




More information about the Snort-users mailing list