cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1226
Views
0
Helpful
1
Replies

Need assistance creating an RDP (TCP/3389) failed login attempts signature

jpaykoc2910
Level 1
Level 1

Support community,

Has anyone had any luck creating a signature that fires against failed login attempts against TCP/3389?  Unfortunately, since the protocol is encrypted, we are having a hard time finding anything to match against with a failed or sucessful login. 

Here is an example of the traffic.  Attacker is hitting a server's public IP address on port 3389.  They are attempting 10-20 failed login attempts per minute. I'd like to be able to block this traffic. 

Any help would be greatly appreaciated.

1 Reply 1

rhermes
Level 7
Level 7

If each login attempt requires a seperate session, you may be able to use one of the flood engines to trigger for >5 sessions/sec to any one host on port 3389.

- Bob

Review Cisco Networking for a $25 gift card