Thread Info
  • State Not Answered
  • Replies 7 replies
  • Subscribers 0 subscribers
  • Views 2189 views
  • Users 0 members are here
Options
Suggested

[7.450][BUG][FIXED] IPS blocked MS RDP over VPN Net-2-Net

riedel
It is not possible an unencrypted RDP connection via a VPN tunnel to build.
Linux RDP Client, RDP Server MS XP Pro SP3

id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="MISC MS Terminal Server no encryption session initiation attempt" group="110" srcip="192.168.100.11" dstip="192.168.200.2" proto="6" srcport="55196" dstport="3389" sid="2418" class="Attempted Denial of Service" priority="2" generator="1" msgid="0" 


MfG E. Riedel
Parents
  • 0
    This is default action by snort, unfortuntely there is no easy way of changing it via astaro's admin interface. 

    However, with the sid given (2418), I guess you can do a "Manual rule modification" to alert but not drop, or disable ips between these two vlan? Although I don't think it is such a good idea. personally I would use RDP client with encryption on.
  • 0 in reply to dmzalarm
    Okay this may only apply for the V7.450.
    With the same settings, it ran into V7.402
    without problems. [:S]

    MfG E. Riedel
  • 0 in reply to riedel
    Just disable the errant rule in the advanced tab under the IPS settings; IPS systems require a bit of tuning sometimes; this is not the first time I've seen this rule triggered falsely by legitimate RDP traffic (and that rule dates back to Version 6).  I would not consider this a "bug."

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • 0 in reply to BrucekConvergent
    I see the same thing.  I'm perfectly fine with this not being a bug, but it does at least appear to be a difference in behavior between the IPS engine in 7.450 and the original IPS engine in 7.402; with the same patterns on both, the newer engine blocks this traffic, and the older doesn't.  I didn't have to disable this rule prior to switching to the beta, but after having done so I've disabled this rule and also rule 8428 (which has started blocking OWA access to Exchange 2007 since 7.450).
  • 0 in reply to MarCow
    I've had the same rule triggered in older IPS engines (not just the beta), indeed, right before V7 came out, this was a common rule for me to see triggered on V6 systems.  It's all about the combination of server and client versions causing this rule to be triggered; if it's legit traffic, just disable the rule.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • 0 in reply to MarCow
    I've had the same rule triggered in older IPS engines (not just the beta), indeed, right before V7 came out, this was a common rule for me to see triggered on V6 systems.  It's all about the combination of server and client versions causing this rule to be triggered; if it's legit traffic, just disable the rule.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
Cookie Information Banner