Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1206
Views
0
Helpful
1
Replies

Need assistance creating an RDP (TCP/3389) failed login attempts signature

jpaykoc2910
Level 1
Level 1

‎05-25-2011 10:45 AM - edited ‎03-10-2019 05:21 AM

Support community,

Has anyone had any luck creating a signature that fires against failed login attempts against TCP/3389?  Unfortunately, since the protocol is encrypted, we are having a hard time finding anything to match against with a failed or sucessful login. 

Here is an example of the traffic.  Attacker is hitting a server's public IP address on port 3389.  They are attempting 10-20 failed login attempts per minute. I'd like to be able to block this traffic. 

Any help would be greatly appreaciated.

Labels:
0 Helpful
1 Reply 1

rhermes
Level 7
Level 7

‎05-25-2011 11:56 AM

If each login attempt requires a seperate session, you may be able to use one of the flood engines to trigger for >5 sessions/sec to any one host on port 3389.

- Bob

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card