SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003850: SNORT isn't blocking RDP - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003850Endian FirewallIntrusion Preventionpublic2011-06-03 10:062011-08-19 14:11
Reporterardit-endian 
Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
StatusfeedbackResolutionopen 
PlatformOSOS Version
Product Version2.4 
Target VersionFixed in Version 
Summary0003850: SNORT isn't blocking RDP
DescriptionGoing to :

Services => Intrusion Prevention, editing auto/emerging-policy.rules (Search with RDP) and setting drop for all this three rules, just as shown in the screenshot, the RDP works without problem, instead of dropping the RDP requests and responses.

On outgoing the rule for my IP is set to Allow with IPS.
Additional Information2.4 full up to date mini.

NOTE: didn't check if the packets were really hitting SNORT chain or not.
Tagspurple
Attached Filespng file icon rdp-drop.png [^] (41,283 bytes) 2011-06-03 10:10

- Relationships

-  Notes
(0006872)
luca-endian (developer)
2011-07-01 12:51

> NOTE: didn't check if the packets were really hitting SNORT chain or not.

If you want to drop RDP protocol you must get the traffic to RDP port pass through snort. In this case why not just close the port? :)

The real use would be to force all the traffic (any destination port) through snort and then snort should be able to detect RDP protocol even if the port is not the default one.
By default not all the traffic (outgoing or incoming) is passing through snort that's probably the reason why it seems not to work.
(0007326)
tiagoaviz (reporter)
2011-08-19 14:11

My idea of use would be to prevent people on my network from acessing RDP servers on alternate ports without my consent.

In my case, all outbound traffic is going through snort.

- Issue History
Date Modified Username Field Change
2011-06-03 10:06 ardit-endian New Issue
2011-06-03 10:07 ardit-endian Summary SNORT is blocking RDP => SNORT isn't blocking RDP
2011-06-03 10:09 ardit-endian Tag Attached: purple
2011-06-03 10:10 ardit-endian Additional Information Updated
2011-06-03 10:10 ardit-endian File Added: rdp-drop.png
2011-07-01 12:51 luca-endian Note Added: 0006872
2011-07-01 12:51 luca-endian Note View State: 6872: public
2011-07-01 12:52 luca-endian Status new => feedback
2011-08-19 14:11 tiagoaviz Note Added: 0007326

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker