It seems like the IPS is getting "some" but not all the attempts. Ill get notifications that x.x ip address was blocked on this signature, yet other servers repeatedly get pounded with bad RDP requests.
Anyone have a sure fire way to have the IPS inspect all traffic for bad RDP requests?
I'm seeing the same results you are, I'm getting some but not all of the attacks. I think there are different methods of the attack and we are seeing only 1. My next step is to try and capture some of the attack while it's happening, then go through that and see what I can find for a flag. I'll update the article when I have some progress. Or private message me and I'll let you know if I find anything.
Re: Denying Brute Force RDP Requests Using Cisco IPS
Unfortunately, I purchased the SSC-5 which doesn't support custom signatures. Then a glimmer of hope when I saw the signature for the RDP Morto worm. But it is not picking up the failed 'Support' logons even when it is set to 3 (from 37). I watch them come in on my OSSEC email alerts but no actions are taken on the IPS.
It would be really GREAT if there was a signature for a number of successive Failed RDP attempts in the signature database. The SSC-5 is nice, but it wasn't until post-install that I found out custom signatures were disabled. And the Morto worm is not being detected either...
Right now, I setup a powershell script that monitors the event logs of my Terminal Server for failed logons. After a configurable number of failed attempts, it telnets to the ASA and shuns the address. It's crude and ugly, but it works.
My apologies for resurrecting this very old thread, but, I, too, am looking for a way to block IPs attempting brute force RDP requests. Brent, if you're still around, could you provide some additional detail regarding the 'crude and ugly' powershell script you created?
I'd attempt to contact you via PM, but I can't seem to find that feature.
I don't see that feature either Scott. I still have the powershell script, and it's still ugly. I wouldn't recommend it.. .and I've moved beyond that now personally and professionally. If you really needed it, I could pass it along to you.
Hit me up via g mail using the prefix brent.morris - maybe I can help more?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...