我对 snort 规则非常陌生,所以我无法准确找到以下规则。当 tcp 数据包从外部网络和任何端口到达家庭网络和端口 3389 时,此规则是否会发送警报?只需检查端口、ip、协议?如果是这样,我认为它无法检测到 rdp dos 攻击,因为当通常的 rdp 连接想要建立时,此规则也会发送警报。
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt"; sid:21619; gid:3; rev:5; classtype:attempted-admin; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; metadata: engine shared, soid 3|21619, service rdp, policy balanced-ips drop, policy security-ips drop, policy max-detect-ips drop;)
答案1
检查此规则,尝试使用错误的密码登录我的 RDP,并收到以下错误: https://rules.emergingthreats.net/open/snort-2.9.0/
[**] [1:2001329:7] ET POLICY RDP connection request [**]
[Classification: Misc activity] [Priority: 3]
02/24-21:51:19.945279 192.168.15.214:4763 -> 192.168.12.222:3389
TCP TTL:128 TOS:0x0 ID:10379 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0x4F195349 Ack: 0xDFFE9710 Win: 0x100 TcpLen: 20
[**] [1:2001329:7] ET POLICY RDP connection request [**]
[Classification: Misc activity] [Priority: 3]
02/24-21:51:23.159044 192.168.88.214:2764 -> 192.168.122.102:3389
TCP TTL:128 TOS:0x0 ID:10414 IpLen:20 DgmLen:86 DF
***AP*** Seq: 0xC8252E54 Ack: 0x56A6EC54 Win: 0x100 TcpLen: 20
顺便问一下,你知道吗,当有人输入错误密码时,组策略中的 RDP 锁定帐户不适用于“管理员”用户