[prev in list] [next in list] [prev in thread] [next in thread]
List: oisf-users
Subject: Re: [Oisf-users] MS Terminal Traffic on non-standard port.
From: Francis Trudeau <ftrudeau () emergingthreats ! net>
Date: 2017-10-10 0:16:08
Message-ID: CAA-Ja_7gQaLpS_BDaC8HVQe7LSpHekRqYj6gkthWEfxP_HGH8w () mail ! gmail ! com
[Download RAW message or body]
That rule looks like this:
content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|";
offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern;
Looks pretty solid and SSH traffic that has cookies would be strange.
I'd like to see a PCAP of this if you can grab one. Odd he would send
RDP traffic when presented with an SSH banner.
As far as your bogey, we logged 181. 143.1 73. 235 scanning for RDP in
June, so it's likely he's up to no good. Also these guys show
scanning:
https: //www. abuseipdb.com/check/ 181.143.173.235
http:/ /blackip.ustc.edu.cn/search.php? ip=%B8%E7% C2%D7%B1%C8%D1%C7
FT
On Mon, Oct 9, 2017 at 5:32 PM, David Woodfall <dave@dawoodfall.net> wrote:
> I have noticed 4 of these in my fast.log:
>
> 10/06/2017-20:43:06.327646 [**] [1:2023753:2] ET SCAN MS Terminal
> Server Traffic on Non-standard Port [**] [Classification: Attempted
> Information Leak] [Priority: 2] {TCP} 181.143.173.235:64705 ->
> 192.168.1.2:22000
>
> All from the same IP.
>
> I am running sshd on that port and just wondering what the chances of
> someone finding that port by accident. There are no hits of him
> scanning a range of ports.
>
> I found a couple of things that run on that port, but it seems
> unusual.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
_______________________________________________
Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic