Snort mailing list archives
Re: Policy VNC server response
From: Joel Esler <joel.esler () sourcefire com>
Date: Wed, 28 Sep 2005 09:44:07 -0400
You may not have your HOME_NET and EXTERNAL_NET properly defined... Joel On Sep 28, 2005, at 9:36 AM, Hin wrote:
Hi Snorters,A quick question on the below signature. From what I understand, the below signature will detect the response traffic of a VNC server, which means the source address of the alert should be where the VNC server is, right? What would the reason be if I see the VNC server in the destination address field of the alert?alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)Hin __________________________________________________________________ Switch to Netscape Internet Service.As low as $9.95 a month -- Sign up today at http://isp.netscape.com/ registerNetscape. Just the Net You Need. New! Netscape Toolbar for Internet Explorer Search from anywhere on the Web and block those annoying pop-ups. Download now at http://channels.netscape.com/ns/search/install.jsp ------------------------------------------------------- This SF.Net email is sponsored by:Power Architecture Resource Center: Free content, downloads, discussions,and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Policy VNC server response Hin (Sep 28)
- Re: Policy VNC server response Joel Esler (Sep 28)