[Snort-sigs] Re: [Snort-users] VNC Failed Login

Jose Maria Lopez jkerouac at ...12370...
Tue Sep 14 08:57:59 EDT 2004


El vie, 03 de 09 de 2004 a las 01:03, Nigel Houghton escribió:
> On  0, Frank Knobbe <frank at ...9761...> allegedly wrote:
> > On Thu, 2004-09-02 at 13:26, sekure wrote:
> > > Saw a warning on isc.sans.org about brute force VNC login attempts and
> > > couldn't really find any rules to detect it, so I threw together this
> > > one:
> > > 
> > > alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login";
> > > flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|";
> > > content:"Authentication|20|failure"; classtype:unsuccessful-user;
> > > sid:1000001; rev:1;)
> > 
> > VNC does not only operate on port 5900 (that's display :0), but also on
> > other ports up to 5999. Where are those port lists when you need them :)
> 
> Port _ranges_ do exist. $HOME_NET 5900:5903 would take care of 4
> displays. You might be increasing the likelihood of false positives though. 
> 
> +-------------------------------------------------------------------------+
>        Nigel Houghton       Research Engineer        Sourcefire Inc.
>                        Vulnerability Research Team
>                                                                          
>   "Dude, dolphins are intelligent and friendly!" - Wendy
>   "Intelligent and friendly on rye bread, with some mayonaise." - Cartman
> +-------------------------------------------------------------------------+

I think it can use the 5801 and up ports to communicate and even
the 6001 (the ones from X) and up to communicate. I block them all.

-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac at ...12346...
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"





More information about the Snort-users mailing list