[Oisf-users] MS Terminal Traffic on non-standard port.
Francis Trudeau
ftrudeau at emergingthreats.net
Tue Oct 10 00:16:08 UTC 2017
That rule looks like this:
content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|";
offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern;
Looks pretty solid and SSH traffic that has cookies would be strange.
I'd like to see a PCAP of this if you can grab one. Odd he would send
RDP traffic when presented with an SSH banner.
As far as your bogey, we logged 181. 143.1 73. 235 scanning for RDP in
June, so it's likely he's up to no good. Also these guys show
scanning:
https: //www. abuseipdb.com/check/ 181.143.173.235
http:/ /blackip.ustc.edu.cn/search.php? ip=%B8%E7% C2%D7%B1%C8%D1%C7
FT
On Mon, Oct 9, 2017 at 5:32 PM, David Woodfall <dave at dawoodfall.net> wrote:
> I have noticed 4 of these in my fast.log:
>
> 10/06/2017-20:43:06.327646 [**] [1:2023753:2] ET SCAN MS Terminal
> Server Traffic on Non-standard Port [**] [Classification: Attempted
> Information Leak] [Priority: 2] {TCP} 181.143.173.235:64705 ->
> 192.168.1.2:22000
>
> All from the same IP.
>
> I am running sshd on that port and just wondering what the chances of
> someone finding that port by accident. There are no hits of him
> scanning a range of ports.
>
> I found a couple of things that run on that port, but it seems
> unusual.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
More information about the Oisf-users
mailing list