Since the IPS rule set in html isn't updated for quite a while. Can anyone tell me if there is any protection included for the recent ms12-020 exploit?
Since a snort rule was only created for this vulnerability yesterday as a VRT rule, so no it is not included in the most recently deployed pattern update. The rule will need to be reviewed and vetted before we would add it to the patterns that we push out for IPS. No ETA on when or if it will be included.
We try to do as much testing as possible with snort rules as they can be prone to false positives, which have the possibility of causing even more disruption than the vulnerability itself would.
I have always advocated rdp NOT be exposed to the internet. it has been easily crackable for years and plus the fact that it runs as a kernel service that just makes this kind of bug so easy to exploit. My advice? use the vpn inside of your astaro and then rdp over that. IMO anyone who exposes rdp directly to the internet is asking to get pwned.
