[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Creating a rule for RDP
From: "Barry Bahrami" <Barry () CommercialNetworkServices ! com>
Date: 2015-02-09 21:56:13
Message-ID: GKID.0482076500.vaygdkcq65a0yonnb39hrp7h.1423518972857 () email ! android ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head>
<body>
<div>No, not after each attempt. But it works well enough for the brute force \
scripts.</div><div><br></div><div><br></div><div><div \
style="font-size:9px;color:#575757">Sent from my Verizon Wireless 4G LTE \
smartphone</div></div><div></div><br><br>-------- Original message --------<br>From: \
Johnathan Wiltberger <johwiltb@gmail.com> <br>Date:02/09/2015 1:42 PM \
(GMT-08:00) <br>To: Barry Bahrami <Barry@commercialnetworkservices.com> <br>Cc: \
snort-sigs@lists.sourceforge.net <br>Subject: Re: [Snort-sigs] Creating a rule for \
RDP <br><br><div dir="ltr">Does RDP re-establish a session with each login attempt? \
Because if not, this may not be a valid attempt to find failed passwords. I'd \
test it but I don't have a system to test on right now, however it may be \
important to think about how the protocol behaves on login \
attempts.<div><br></div><div><br></div><div>- John Wiltberger</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 9, 2015 at 12:33 PM, \
Barry Bahrami <span dir="ltr"><<a \
href="mailto:Barry@commercialnetworkservices.com" \
target="_blank">Barry@commercialnetworkservices.com</a>></span> \
wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"><div lang="EN-US" link="blue" vlink="purple"><div><p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">We \
have a firewall rule setup to block six connections to TCP3389 from the same IP in a \
10 second window. it works pretty well. <u></u><u></u></span></p><p \
class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p><p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Barry \
Bahrami<u></u><u></u></span></p><p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p><p class="MsoNormal"><span \
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> \
<u></u></span></p><p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> \
Samuel M Westerfeld [mailto:<a href="mailto:sam@utexas.edu" \
target="_blank">sam@utexas.edu</a>] <br><b>Sent:</b> Saturday, February 07, 2015 \
12:07 AM<br><b>To:</b> <a href="mailto:snort-sigs@lists.sourceforge.net" \
target="_blank">snort-sigs@lists.sourceforge.net</a><br><b>Subject:</b> Re: \
[Snort-sigs] Creating a rule for RDP<u></u><u></u></span></p><div><div class="h5"><p \
class="MsoNormal"><u></u> <u></u></p><p>No need to reinvent the wheel. This can (and \
should) be done through Group Policy or Local Security Policy in \
Windows.<u></u><u></u></p><div><p class="MsoNormal">On Feb 7, 2015 1:36 AM, \
"Dave Killion" <<a href="mailto:dave.killion@gmail.com" \
target="_blank">dave.killion@gmail.com</a>> wrote:<u></u><u></u></p><p \
class="MsoNormal">While that's true - RDP is encrypted - a poor man's \
brute-force detection is to detect n-connections in y seconds between IP peers. \
Say... 5 connections in 10 seconds?<br><br>A real user wouldn't go that fast \
unless they were rapidly trying credentials, and a script would go much faster. \
You may need to tune the interval, however, to something that makes sense in your \
network.<br><br>Yes, this has problems with NAT, and yes, it has problems with slow \
brute, but... It's better than nothing, and I know with certainty that many \
commercial IDS' do exactly this.<br><br>Dave Killion<br><br><br>> On Feb 6, \
2015, at 4:57 PM, Jason Haar <<a href="mailto:Jason_Haar@trimble.com" \
target="_blank">Jason_Haar@trimble.com</a>> wrote:<br>><br>>> On 23/01/15 \
12:06, Richard Giles wrote:<br>>> Hello,<br>>><br>>> I am trying to \
write a simple snort rule that will block RDP traffic if the password is failed more \
then 3-5 times. I have been experimenting using something like the \
following:<br>>><br>> As far as I'm aware RDP is a fully encrypted \
channel, so any failed login messages are sent by the server to the client over that \
encrypted channel. In other words, it's just like SSH<br>><br>> ie snort \
can't read it.<br>><br>> The only way I can think of to detect RDP failed \
logins is to monitor the eventlogs of Windows servers for failed login events \
:-(<br>> --<br>> Cheers<br>><br>> Jason Haar<br>> Corporate \
Information Security Manager, Trimble Navigation Ltd.<br>> Phone: <a \
href="tel:%2B1%20408%20481%208171" target="_blank">+1 408 481 8171</a><br>> PGP \
Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1<br>> \
------------------------------------------------------------------------------<br>> \
Dive into the World of Parallel Programming. The Go Parallel Website,<br>> \
sponsored by Intel and developed in partnership with Slashdot Media, is your<br>> \
hub for all things parallel software development, from weekly thought<br>> \
leadership blogs to news, videos, case studies, tutorials and more. Take a<br>> \
look and join the conversation now. <a href="http://goparallel.sourceforge.net/" \
target="_blank">http://goparallel.sourceforge.net/</a><br>> \
_______________________________________________<br>> Snort-sigs mailing \
list<br>> <a href="mailto:Snort-sigs@lists.sourceforge.net" \
target="_blank">Snort-sigs@lists.sourceforge.net</a><br>> <a \
href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br>> \
<a href="http://www.snort.org" \
target="_blank">http://www.snort.org</a><br>><br>><br>> Please visit <a \
href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest \
news about Snort!<br><br>------------------------------------------------------------------------------<br>Dive \
into the World of Parallel Programming. The Go Parallel Website,<br>sponsored by \
Intel and developed in partnership with Slashdot Media, is your<br>hub for all things \
parallel software development, from weekly thought<br>leadership blogs to news, \
videos, case studies, tutorials and more. Take a<br>look and join the conversation \
now. <a href="http://goparallel.sourceforge.net/" \
target="_blank">http://goparallel.sourceforge.net/</a><br>_______________________________________________<br>Snort-sigs \
mailing list<br><a href="mailto:Snort-sigs@lists.sourceforge.net" \
target="_blank">Snort-sigs@lists.sourceforge.net</a><br><a \
href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br><a \
href="http://www.snort.org" \
target="_blank">http://www.snort.org</a><br><br><br>Please visit <a \
href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> for the latest \
news about Snort!<u></u><u></u></p></div></div></div></div></div><br>------------------------------------------------------------------------------<br>
Dive into the World of Parallel Programming. The Go Parallel Website,<br>
sponsored by Intel and developed in partnership with Slashdot Media, is your<br>
hub for all things parallel software development, from weekly thought<br>
leadership blogs to news, videos, case studies, tutorials and more. Take a<br>
look and join the conversation now. <a href="http://goparallel.sourceforge.net/" \
target="_blank">http://goparallel.sourceforge.net/</a><br>_______________________________________________<br>
Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org" target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org" \
target="_blank">http://blog.snort.org</a> for the latest news about \
Snort!<br></blockquote></div><br></div> </body>
</html>
No, not after each attempt. But it works well enough for the brute force scripts.
Sent from my Verizon Wireless 4G LTE smartphone
-------- Original message --------
From: Johnathan Wiltberger <johwiltb@gmail.com>
Date:02/09/2015 1:42 PM (GMT-08:00)
To: Barry Bahrami <Barry@commercialnetworkservices.com>
Cc: snort-sigs@lists.sourceforge.net
Subject: Re: [Snort-sigs] Creating a rule for RDP
Does RDP re-establish a session with each login attempt? Because if not,
this may not be a valid attempt to find failed passwords. I'd test it but
I don't have a system to test on right now, however it may be important to
think about how the protocol behaves on login attempts.
- John Wiltberger
On Mon, Feb 9, 2015 at 12:33 PM, Barry Bahrami <
Barry@commercialnetworkservices.com> wrote:
> We have a firewall rule setup to block six connections to TCP3389 from the
> same IP in a 10 second window. it works pretty well.
>
>
>
> Barry Bahrami
>
>
>
>
>
> *From:* Samuel M Westerfeld [mailto:sam@utexas.edu]
> *Sent:* Saturday, February 07, 2015 12:07 AM
> *To:* snort-sigs@lists.sourceforge.net
> *Subject:* Re: [Snort-sigs] Creating a rule for RDP
>
>
>
> No need to reinvent the wheel. This can (and should) be done through Group
> Policy or Local Security Policy in Windows.
>
> On Feb 7, 2015 1:36 AM, "Dave Killion" <dave.killion@gmail.com> wrote:
>
> While that's true - RDP is encrypted - a poor man's brute-force detection
> is to detect n-connections in y seconds between IP peers. Say... 5
> connections in 10 seconds?
>
> A real user wouldn't go that fast unless they were rapidly trying
> credentials, and a script would go much faster. You may need to tune the
> interval, however, to something that makes sense in your network.
>
> Yes, this has problems with NAT, and yes, it has problems with slow brute,
> but... It's better than nothing, and I know with certainty that many
> commercial IDS' do exactly this.
>
> Dave Killion
>
>
> > On Feb 6, 2015, at 4:57 PM, Jason Haar <Jason_Haar@trimble.com> wrote:
> >
> >> On 23/01/15 12:06, Richard Giles wrote:
> >> Hello,
> >>
> >> I am trying to write a simple snort rule that will block RDP traffic if
> the password is failed more then 3-5 times. I have been experimenting using
> something like the following:
> >>
> > As far as I'm aware RDP is a fully encrypted channel, so any failed
> login messages are sent by the server to the client over that encrypted
> channel. In other words, it's just like SSH
> >
> > ie snort can't read it.
> >
> > The only way I can think of to detect RDP failed logins is to monitor
> the eventlogs of Windows servers for failed login events :-(
> > --
> > Cheers
> >
> > Jason Haar
> > Corporate Information Security Manager, Trimble Navigation Ltd.
> > Phone: +1 408 481 8171
> > PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
> >
> ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming. The Go Parallel Website,
> > sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> > hub for all things parallel software development, from weekly thought
> > leadership blogs to news, videos, case studies, tutorials and more. Take
> a
> > look and join the conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming. The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic