Snort mailing list archives
Re: VNC Failed Login
From: Frank Knobbe <frank () knobbe us>
Date: Thu, 02 Sep 2004 17:42:27 -0500
On Thu, 2004-09-02 at 13:26, sekure wrote:
Saw a warning on isc.sans.org about brute force VNC login attempts and couldn't really find any rules to detect it, so I threw together this one: alert tcp $HOME_NET 5900 -> $EXTERNAL_NET any (msg:"VNC Failed Login"; flow:to_client,established; content:"|00 00 00 00 00 01 00 00 00 16|"; content:"Authentication|20|failure"; classtype:unsuccessful-user; sid:1000001; rev:1;)
VNC does not only operate on port 5900 (that's display :0), but also on other ports up to 5999. Where are those port lists when you need them :) Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- VNC Failed Login sekure (Sep 02)
- Re: VNC Failed Login Frank Knobbe (Sep 02)
- Re: Re: [Snort-users] VNC Failed Login Nigel Houghton (Sep 02)
- Re: Re: [Snort-users] VNC Failed Login Jose Maria Lopez (Sep 03)
- Re: Re: [Snort-users] VNC Failed Login Nigel Houghton (Sep 02)
- snort-inline on HP-UX prabu (Sep 02)
- Re: VNC Failed Login Frank Knobbe (Sep 02)