Does work "Same IP" in IDP custom signature?

bbros
bbros Posts: 7
First Anniversary Nebula Gratitude Friend Collector First Comment
edited April 2021 in Security
I've tried to create a custom signature in order to stop a lot of RDP Login Attempts. The signature "RDP Brute Force Login" doesn't work for all the attacks I'm receiving, so I tried to simply block an IP that does more than 2 connection per minute.
Threshold: 2 Packets / 60 seconds.
Transport protocol: TCP,
Source port: any
Destination port: 3389
(then added Flow: Established,To Server, No Stream, to add some criteria).
My signature works since it logs the attempts, but if I add the "Same IP" flag, to block the attacker and not each second connection, it doesn't work any more, and it doesn't log anything.
Does someone have an idea about that?
alert  tcp any any ->  any 3389   (msg: "Cs-RDP-Threshold"; sid: 9439326; severity: severe; platform: windows; policytype: Access-Control; threshold: type threshold, track by_dst, count 2, seconds 60; sameip ;  flow: to_server, established, no_stream;  )
Thank you
Federico

Accepted Solution

All Replies

  • bbros
    bbros Posts: 7
    First Anniversary Nebula Gratitude Friend Collector First Comment
    Thank you @zyman2008 , I had misunderstood the meaning of the "same ip" flag.
    Yes, for the RDP sessions I solved by connecting users first via the web interface, then in the Policy Rule putting the allowed user-group as the source of the connection.

Security Highlight