Does work "Same IP" in IDP custom signature?
I've tried to create a custom signature in order to stop a lot of RDP Login Attempts. The signature "RDP Brute Force Login" doesn't work for all the attacks I'm receiving, so I tried to simply block an IP that does more than 2 connection per minute.
Threshold: 2 Packets / 60 seconds.
Transport protocol: TCP,
Source port: any
Destination port: 3389
(then added Flow: Established,To Server, No Stream, to add some criteria).
My signature works since it logs the attempts, but if I add the "Same IP" flag, to block the attacker and not each second connection, it doesn't work any more, and it doesn't log anything.
Does someone have an idea about that?
alert tcp any any -> any 3389 (msg: "Cs-RDP-Threshold"; sid: 9439326; severity: severe; platform: windows; policytype: Access-Control; threshold: type threshold, track by_dst, count 2, seconds 60; sameip ; flow: to_server, established, no_stream; )
Thank you
Federico
0
Accepted Solution
-
@bbros,
The "same ip" means packet with the same source & destination ip address, which most using in DoS attack, not means same source ip / destination ip session.
If the RDP service is for employees use only.
Then, only open for remote VPN access is better than use NAT open for all.
Since leverage VPN as access control is simply reduce the attack surface.
5
All Replies
-
@bbros,
The "same ip" means packet with the same source & destination ip address, which most using in DoS attack, not means same source ip / destination ip session.
If the RDP service is for employees use only.
Then, only open for remote VPN access is better than use NAT open for all.
Since leverage VPN as access control is simply reduce the attack surface.
5 -
Thank you @zyman2008 , I had misunderstood the meaning of the "same ip" flag.Yes, for the RDP sessions I solved by connecting users first via the web interface, then in the Policy Rule putting the allowed user-group as the source of the connection.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight