Server Fault Asked on November 7, 2021
i am very new in snort rules so i can’t find the below rule exactly . is this rule send alert when tcp packets come from external network and any port to home network and port 3389? just check port , ip , protocol? if so , i think it can’t detect rdp dos attack because when an usual rdp connection want to establish this rule send alert too.
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt"; sid:21619; gid:3; rev:5; classtype:attempted-admin; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; metadata: engine shared, soid 3|21619, service rdp, policy balanced-ips drop, policy security-ips drop, policy max-detect-ips drop;)
Checkout this rules, try to login to my RDP with wrong password and got this errors: https://rules.emergingthreats.net/open/snort-2.9.0/
[**] [1:2001329:7] ET POLICY RDP connection request [**]
[Classification: Misc activity] [Priority: 3]
02/24-21:51:19.945279 192.168.15.214:4763 -> 192.168.12.222:3389
TCP TTL:128 TOS:0x0 ID:10379 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0x4F195349 Ack: 0xDFFE9710 Win: 0x100 TcpLen: 20
[**] [1:2001329:7] ET POLICY RDP connection request [**]
[Classification: Misc activity] [Priority: 3]
02/24-21:51:23.159044 192.168.88.214:2764 -> 192.168.122.102:3389
TCP TTL:128 TOS:0x0 ID:10414 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xC8252E54 Ack: 0x56A6EC54 Win: 0x100 TcpLen: 20
btw. do you know that RDP lock account in group policy when somebody enter wrong password are not applied to "administrator" only users
Answered by user956584 on November 7, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP