Support community,
Has anyone had any luck creating a signature that fires against failed login attempts against TCP/3389? Unfortunately, since the protocol is encrypted, we are having a hard time finding anything to match against with a failed or sucessful login.
Here is an example of the traffic. Attacker is hitting a server's public IP address on port 3389. They are attempting 10-20 failed login attempts per minute. I'd like to be able to block this traffic.
Any help would be greatly appreaciated.