SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003850: SNORT isn't blocking RDP - MantisBT
MantisBT - Endian Firewall
View Issue Details
0003850Endian FirewallIntrusion Preventionpublic2011-06-03 10:062011-08-19 14:11
ardit-endian 
 
normalmajoralways
feedbackopen 
2.4 
 
0003850: SNORT isn't blocking RDP
Going to :

Services => Intrusion Prevention, editing auto/emerging-policy.rules (Search with RDP) and setting drop for all this three rules, just as shown in the screenshot, the RDP works without problem, instead of dropping the RDP requests and responses.

On outgoing the rule for my IP is set to Allow with IPS.
2.4 full up to date mini.

NOTE: didn't check if the packets were really hitting SNORT chain or not.
purple
png rdp-drop.png (41,283) 2011-06-03 10:10
https://bugs.endian.com/file_download.php?file_id=753&type=bug
png
Issue History
2011-06-03 10:06ardit-endianNew Issue
2011-06-03 10:07ardit-endianSummarySNORT is blocking RDP => SNORT isn't blocking RDP
2011-06-03 10:09ardit-endianTag Attached: purple
2011-06-03 10:10ardit-endianAdditional Information Updated
2011-06-03 10:10ardit-endianFile Added: rdp-drop.png
2011-07-01 12:51luca-endianNote Added: 0006872
2011-07-01 12:51luca-endianNote View State: 6872: public
2011-07-01 12:52luca-endianStatusnew => feedback
2011-08-19 14:11tiagoavizNote Added: 0007326

Notes
(0006872)
luca-endian   
2011-07-01 12:51   
> NOTE: didn't check if the packets were really hitting SNORT chain or not.

If you want to drop RDP protocol you must get the traffic to RDP port pass through snort. In this case why not just close the port? :)

The real use would be to force all the traffic (any destination port) through snort and then snort should be able to detect RDP protocol even if the port is not the default one.
By default not all the traffic (outgoing or incoming) is passing through snort that's probably the reason why it seems not to work.
(0007326)
tiagoaviz   
2011-08-19 14:11   
My idea of use would be to prevent people on my network from acessing RDP servers on alternate ports without my consent.

In my case, all outbound traffic is going through snort.