[Snort-users] Policy VNC server response
hchlai at ...2792...
Wed Sep 28 06:39:01 EDT 2005
A quick question on the below signature. From what I understand, the below signature will detect the response traffic of a VNC server, which means the source address of the alert should be where the VNC server is, right?
What would the reason be if I see the VNC server in the destination address field of the alert?
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register
Netscape. Just the Net You Need.
New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp
More information about the Snort-users