Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] False positive: MISC MS Terminal Server no encryption s

from [Matthew Watchinski] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] False positive: MISC MS Terminal Server no encryption session initiation attempt (SID 2418)
Date: Fri, 09 Feb 2007 11:49:31 -0500 
Got pcap?

If so send it in to vrt < AT > sourcefire.com

and we'll give it a look.

The pcap may explain this, but is the session for RDP actually encrypted
and that is why it's a false positive?

Cheers,
-matt

Russell Fulton wrote:

On 8/02/2007, at 3:39 AM, Stephan Scholz wrote:


I'd like to report a false positive concerning Windows Remote Desktop.



Rule:  MISC MS Terminal Server no encryption session initiation  
attempt


--
False Positives:
Update Windows XP SP2 client with optional update: "Remote Desktop  
Connection (Terminal Services Client 6.0) for Windows XP (KB925876)"
Connect to an RDP server. This will lead to a false positive.


Ah, so that's it!  I've been seeing these for some time and no one  
could explain them.

Can this rule be tightened or should it be dropped?

Russell



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier.
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding
Next by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Previous by Thread:  Re: [Snort-sigs] False positive: MISC MS Terminal Server no encryption session initiation attempt (SID 2418), Russell Fulton
Next by Thread:  [Snort-sigs] Bleeding Edge Threats Weekly Signature Changes, bleeding
Indexes:  [Date] [Thread] [Top] [All Lists]