The "... MS Terminal Server no encryption session initiation attmept"
rule seems to be misfiring.
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#
Rule:
MISC MS Terminal Server no encryption session initiation attmept
--
Sid:
2418
--
Summary:
--
Impact:
--
Detailed Information:
--
Affected Systems:
--
Attack Scenarios:
--
Ease of Attack:
--
False Positives:
Connect to a MS Server using rdesktop.
The rdesktop man page seems to indicate that default use is encrypted.
From the rdesktop man page...
-e Disable encryption. This option is only needed (and will only
work) if you
have a French version of NT TSE.
-E Disable encryption from client to server. This sends an
encrypted login
packet, but everything after this is unencrypted (including
interactive
logins).
Either the rule is misfiring or rdesktop is not behaving as advertised.
Evidence suggests a misfire.
--
False Negatives:
--
Corrective Action:
--
Contributors:
--
Additional References:
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
