First off we're trying to phase out our snort box and move onto our under-used IPS that we got. I've been trying to match the snort alerts we get to alerts that IPS can give. The one that I haven't seen or didn't realize it was the one I wanted, was RDP connections.
Our current snort notifies us when there is a RDP connection from the VPN to a server. Is there a sig thats already built in that detects this or is it something that I might have to build. If it is the later, how would you go about creating a signature for that?