[Snort-users] Policy VNC server response
joel.esler at ...1935...
Wed Sep 28 06:45:48 EDT 2005
You may not have your HOME_NET and EXTERNAL_NET properly defined...
On Sep 28, 2005, at 9:36 AM, Hin wrote:
> Hi Snorters,
> A quick question on the below signature. From what I understand,
> the below signature will detect the response traffic of a VNC
> server, which means the source address of the alert should be where
> the VNC server is, right?
> What would the reason be if I see the VNC server in the destination
> address field of the alert?
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC
> server response"; flow:established; content:"RFB 0"; depth:5;
> content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560;
> Switch to Netscape Internet Service.
> As low as $9.95 a month -- Sign up today at http://isp.netscape.com/
> Netscape. Just the Net You Need.
> New! Netscape Toolbar for Internet Explorer
> Search from anywhere on the Web and block those annoying pop-ups.
> Download now at http://channels.netscape.com/ns/search/install.jsp
> This SF.Net email is sponsored by:
> Power Architecture Resource Center: Free content, downloads,
> and more. http://solutions.newsforge.com/ibmarch.tmpl
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users