Network detection rule for CVE-2019-0708 in RDP tested with #Suricata

Converted to sig file so that can be used in Bro signature framework. Using Brocata

signature 2019_05_rdp_cve_2019_0708


src-ip == any

dst-ip == any

src-port == any

dst-port == 3389

ip-proto == tcp

payload /.{0}(|03×00|).{2}(|02xf0|)(|00x05x00x14x7cx00x01|){64}.{3}(|03xc0|){48}.{6}(MS_T120|00|){46}/

tcp-state originator,established

event “NCC GROUP RDP connection setup with MS_T120 channel, potential CVE-2019-0708”



Leave a Reply