IPS Signature for RDP Connects?

kylehughes · ‎10-15-2008

First off we're trying to phase out our snort box and move onto our under-used IPS that we got. I've been trying to match the snort alerts we get to alerts that IPS can give. The one that I haven't seen or didn't realize it was the one I wanted, was RDP connections.

Our current snort notifies us when there is a RDP connection from the VPN to a server. Is there a sig thats already built in that detects this or is it something that I might have to build. If it is the later, how would you go about creating a signature for that?

Thanks

abinjola · ‎10-16-2008

Using Custom Signature Wizard you need to create your own signature for this RDP traffic

elevin · ‎04-22-2009

Kyle -

Did you ever find (or write) a signature to detect RDP connections? I'm specifically looking to detect RDP connections over non-standards ports (similar to the SSH over non-standard ports signature that exists).

kylehughes · ‎04-22-2009

No I haven't, but that project has semi been put on the back burner. I will try and update the thread if we figure out a sig

r.malviya · ‎04-22-2009

Hi Kyle,

Try to use Below link to search specific signature you want .

http://tools.cisco.com/security/center/search.x

Regards

Ritesh Malviya