Snort mailing list archives
Re: VNC Rule
From: "Alex Butcher, ISC/ISYS" <Alex.Butcher () bristol ac uk>
Date: Fri, 13 Aug 2004 09:45:48 +0100
--On 12 August 2004 05:51 -0700 jonasb () alum rpi edu wrote:
Hi - I know that rule 560 in the default Snort ruleset detects VNC traffic - but it seems to detect two packets per server connection: one from the server responding to the connection and one from the client back to the server. I need to detect traffic in only one direction.
[snip]
I could just change ANY in the second rule to ![192.168.0.0/24], but then I wouldn't detect server responses from MIS clients (even more important). Does anybody have a VNC rule that will only log the server's response (one packet per session initation)?
I look for SYN-ACK packets originating from the server address + port for this purpose (i.e. flags: SA,12"). I've used this approach for other rules, but not for VNC (yet).
Thanks B
Best Regards, Alex. -- Alex Butcher: Security & Integrity, Personal Computer Systems Group Information Systems and Computing GPG Key ID: F9B27DC9 GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9 ------------------------------------------------------- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- VNC Rule jonasb (Aug 12)
- Re: VNC Rule sekure (Aug 12)
- Re: VNC Rule Alex Butcher, ISC/ISYS (Aug 13)