[Snort-users] VNC Failed Login

Frank Knobbe frank at ...9761...
Thu Sep 2 15:43:18 EDT 2004


On Thu, 2004-09-02 at 13:26, sekure wrote:
> Saw a warning on isc.sans.org about brute force VNC login attempts and
> couldn't really find any rules to detect it, so I threw together this
> one:
> 
> alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login";
> flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|";
> content:"Authentication|20|failure"; classtype:unsuccessful-user;
> sid:1000001; rev:1;)

VNC does not only operate on port 5900 (that's display :0), but also on
other ports up to 5999. Where are those port lists when you need them :)

Frank

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040902/ce2c1858/attachment.sig>


More information about the Snort-users mailing list