我在snort规则很新,所以我找不到下面的规则。 当tcp数据包来自外部networking和任何端口到家庭networking和端口3389时,这个规则发送警报? 只是检查端口,IP协议? 如果是的话,我认为它不能检测rdp dos攻击,因为当一个普通的rdp连接想要build立这个规则发送警报。
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RemoteDesktop connect-initial pdu remote code execution attempt"; sid:21619; gid:3; rev:5; classtype:attempted-admin; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; metadata: engine shared, soid 3|21619, service rdp, policy balanced-ips drop, policy security-ips drop, policy max-detect-ips drop;)