Good point Reg. Should we consider separate sigs for the
horizontal
scans and probes, and then different ones for a true brute?
Too bad we can't threshold by source and dest pairs...
Matt
Reg Quinton wrote:
>> On the RDP especially I have to agree with Jeff.
Tools like tsgrinder
>> don't have to make that many connections, and each
stays for a while.
>
> I'll defer to your experience, but I think you're
focusing on the attack
> phase..
>
>> Remember you get 3 or 5 failed logins per TS
session before you're
>> booted, plus it's usually 3-8 seconds for each
session to startup. So
>> you've got a natural throttle keeping the number
of new connections
>> pretty low.
>
> The reconnaisance (sp?) phase doesn't have that
throttle. I'm after
> snort alerts to fill in a bit of detail to the port
scans/sweeps already
> generated.
>
> cf. the VNC and SSH scanning activity alerts.
>
>
--
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
http://my.infotex.com
http://www.infotex.com
http://www.bleedingsnort
.com
--------------------------------------------
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/ble
eding-sigs
|