[Snort-sigs] Re: [Snort-users] VNC Failed Login

Nigel Houghton nigel at ...1935...
Thu Sep 2 16:05:31 EDT 2004


On  0, Frank Knobbe <frank at ...9761...> allegedly wrote:
> On Thu, 2004-09-02 at 13:26, sekure wrote:
> > Saw a warning on isc.sans.org about brute force VNC login attempts and
> > couldn't really find any rules to detect it, so I threw together this
> > one:
> > 
> > alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login";
> > flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|";
> > content:"Authentication|20|failure"; classtype:unsuccessful-user;
> > sid:1000001; rev:1;)
> 
> VNC does not only operate on port 5900 (that's display :0), but also on
> other ports up to 5999. Where are those port lists when you need them :)

Port _ranges_ do exist. $HOME_NET 5900:5903 would take care of 4
displays. You might be increasing the likelihood of false positives though. 

+-------------------------------------------------------------------------+
       Nigel Houghton       Research Engineer        Sourcefire Inc.
                       Vulnerability Research Team
                                                                         
  "Dude, dolphins are intelligent and friendly!" - Wendy
  "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
+-------------------------------------------------------------------------+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20040902/bd3bd748/attachment.sig>


More information about the Snort-users mailing list