snort rule for rdp dos attack

Question

i am very new in snort rules so i can't find the below rule exactly . is this rule send alert when tcp packets come from external network and any port to home network and port 3389? just check port , ip , protocol? if so , i think it can't detect rdp dos attack because when an usual rdp connection want to establish this rule send alert too.

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt"; sid:21619; gid:3; rev:5; classtype:attempted-admin; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; metadata: engine shared, soid 3|21619, service rdp, policy balanced-ips drop, policy security-ips drop, policy max-detect-ips drop;)

score 0 · Answer 1 · answered Feb 24 '18 at 21:54

Checkout this rules, try to login to my RDP with wrong password and got this errors: https://rules.emergingthreats.net/open/snort-2.9.0/

[**] [1:2001329:7] ET POLICY RDP connection request [**]
[Classification: Misc activity] [Priority: 3] 
02/24-21:51:19.945279 192.168.15.214:4763 -> 192.168.12.222:3389

TCP TTL:128 TOS:0x0 ID:10379 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0x4F195349  Ack: 0xDFFE9710  Win: 0x100  TcpLen: 20

[**] [1:2001329:7] ET POLICY RDP connection request [**]
[Classification: Misc activity] [Priority: 3] 
02/24-21:51:23.159044 192.168.88.214:2764 -> 192.168.122.102:3389
TCP TTL:128 TOS:0x0 ID:10414 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xC8252E54  Ack: 0x56A6EC54  Win: 0x100  TcpLen: 20

btw. do you know that RDP lock account in group policy when somebody enter wrong password are not applied to "administrator" only users

snort rule for rdp dos attack

1 Answers1