[Snort-users] Policy VNC server response

Joel Esler joel.esler at ...1935...
Wed Sep 28 06:45:48 EDT 2005


You may not have your HOME_NET and EXTERNAL_NET properly defined...

Joel


On Sep 28, 2005, at 9:36 AM, Hin wrote:

> Hi Snorters,
>
> A quick question on the below signature. From what I understand,  
> the below signature will detect the response traffic of a VNC  
> server, which means the source address of the alert should be where  
> the VNC server is, right?
> What would the reason be if I see the VNC server in the destination  
> address field of the alert?
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC  
> server response"; flow:established; content:"RFB 0"; depth:5;  
> content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560;  
> rev:6;)
>
> Hin
>
> __________________________________________________________________
> Switch to Netscape Internet Service.
> As low as $9.95 a month -- Sign up today at http://isp.netscape.com/ 
> register
>
> Netscape. Just the Net You Need.
>
> New! Netscape Toolbar for Internet Explorer
> Search from anywhere on the Web and block those annoying pop-ups.
> Download now at http://channels.netscape.com/ns/search/install.jsp
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,  
> discussions,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>





More information about the Snort-users mailing list