[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] Bleeding Sig Proposal re: RDP scanning
From: Matt Jonkman <mjonkman () infotex ! com>
Date: 2006-07-14 16:44:39
Message-ID: 44B7C9F7.5080208 () infotex ! com
[Download RAW message or body]
Good point Reg. Should we consider separate sigs for the horizontal
scans and probes, and then different ones for a true brute?
Too bad we can't threshold by source and dest pairs...
Matt
Reg Quinton wrote:
>> On the RDP especially I have to agree with Jeff. Tools like tsgrinder
>> don't have to make that many connections, and each stays for a while.
>
> I'll defer to your experience, but I think you're focusing on the attack
> phase..
>
>> Remember you get 3 or 5 failed logins per TS session before you're
>> booted, plus it's usually 3-8 seconds for each session to startup. So
>> you've got a natural throttle keeping the number of new connections
>> pretty low.
>
> The reconnaisance (sp?) phase doesn't have that throttle. I'm after
> snort alerts to fill in a bit of detail to the port scans/sweeps already
> generated.
>
> cf. the VNC and SSH scanning activity alerts.
>
>
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic