[Snort-users] trouble with RDP rules

Сергей Малинкин malinkinsa at ...11827...
Wed May 28 03:44:30 EDT 2014


Hello friends!

In one subnet can not collect rdp events in snort.

I using next rules:

alert tcp any any -> any 3389 (msg:"ET POLICY RDP connection request";
flow: to_server,established; content:"|03|"; offset: 0; depth: 1;
content:"|E0|"; offset: 5; depth: 1; reference:url,
doc.emergingthreats.net/2001329; classtype:misc-activity; sid:2001329;
rev:8;)

alert tcp any 3389 -> any any (msg:"ET POLICY RDP connection confirm";
flow: from_server,established; content:"|03|"; offset: 0; depth: 1;
content:"|D0|"; offset: 5; depth: 1; reference:url,
doc.emergingthreats.net/2001330; classtype:misc-activity; sid:2001330;
rev:8;)

alert tcp any any -> any 3389 (msg:"ET POLICY RDP disconnect request";
flow: to_server,established; content:"|03|"; offset: 0; depth: 1;
content:"|80|"; offset: 5; depth: 1; reference:url,
doc.emergingthreats.net/2001331; classtype:misc-activity; sid:2001331;
rev:8;)

If i collect data from tcpdump and sort by my ip i see next result:

10:53:14.803778 IP my_ip.cyaserv > hostname.local.ms-wbt-server:   Flags
[P.], seq 14366:14407, ack 48920, win 64805, length 41

10:53:14.804046 IP hostname.local.ms-wbt-server > my_ip.cyaserv:   Flags
[P.], seq 48920:48967, ack 14407, win 64735, length 47


Where my_ip - ip of my workstation with which I am connecting. And hostname
- target workstation.

How i can use snort for collect this event.

Thx!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140528/7226b999/attachment.html>


More information about the Snort-users mailing list