Re: Creating a rule for RDP

["Simon Wesseldine" <simon.wesseldine () idappcom com>]

Jason,

 

although I will not be able to provide you with the exact answer, I do have
advice on how I would tackle the problem.

I would use Wireshark to analyse the Client Server connections whilst you
perform some distinct operations. Then compare the encrypted conversations
in Wireshark, to see if you can identify the different processes taking
place. If you are able to identify different patterns and make valid
statements about those differences, then you should be able to write some
Snort rules. e.g. Byte 3, 5 and 7 coming from the Server are values \x08,
\x4f and \xf0, for every failed log in attempt, etc.

 

Obviously, if you cannot correctly identify the failed log in attempts from
the encrypted traffic, then this method will not be possible.

I hope that helps, good luck.

 

Best regards,

Simon.

 

------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!