Matt, I'll propose a very slight variation on 200121 (but
I don't like the
threshold numbers) for RDP scanning.
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:
"BLEEDING-EDGE Potential
RDP Scan"; flags: S; flowbits: set,rdp.brute.attempt;
threshold: type
threshold, track by_src, count 5, seconds 120; classtype:
attempted-recon;
reference:url,ist.uwaterloo.ca/security/vulnerable/20050825.
shtml;
sid:9999005; rev:1;)
While there are several sigs on port 3389 in
bleeding-all.rules I don't see
any to catch this (and I detected a scan in cisco flow data
yesterday, I've
seen it a few times over the years).
Wrt. the url reference and flowbits, take it or leave it.
The underlying
issues are the same for all scans on remote access/password
services.
I like all the "Potential XYZ Scan" alarms but
would argue for some changes
across them all to bring about some consistency.
1) we ought to make sure we alarm inbound and outbound
traffic on all of
them (to catch local compromises and remote attackers).
Perhaps instead of
the above we should have:
alert tcp any any -> any 3389 (msg: "BLEEDING-EDGE
Potential RDP Scan";
flags: S; flowbits: set,rdp.brute.attempt; threshold: type
threshold, track
by_src, count 5, seconds 120; classtype: attempted-recon;
reference:url,ist.uwaterloo.ca/security/vulnerable/20050825.
shtml;
sid:9999005; rev:2;)
2) we ought to "standardize" the threshold
numbers across them all (I think
5 in 120 seconds is too low a number for a reliable alarm on
a potential
scan and would push that up... I like the 70 in 60): Perhaps
we should have
alert tcp any any -> any 3389 (msg: "BLEEDING-EDGE
Potential RDP Scan";
flags: S; flowbits: set,rdp.brute.attempt; threshold: type
threshold, track
by_src, count 70, seconds 60; classtype: attempted-recon;
reference:url,ist.uwaterloo.ca/security/vulnerable/20050825.
shtml;
sid:9999005; rev:3;)
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|