[Snort-users] Policy VNC server response

Hin hchlai at ...2792...
Wed Sep 28 06:39:01 EDT 2005

Hi Snorters, 

A quick question on the below signature. From what I understand, the below signature will detect the response traffic of a VNC server, which means the source address of the alert should be where the VNC server is, right? 
What would the reason be if I see the VNC server in the destination address field of the alert?

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)


Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

More information about the Snort-users mailing list