MS-RDP traffic not being detected as brute force signature 40021 as expected.

MS-RDP traffic not being detected as brute force signature 40021 as expected.

6736
Created On 04/03/20 01:32 AM - Last Modified 04/27/20 20:51 PM


Symptom


RDP brute force signature threat id 40021 not working.

Environment


  • Any PAN-OS
  • Palo Alto Firewall.
  • Threat Prevention for MS-RDP MS-RDP brute force attacks.

Cause


  • Most versions of Microsoft Windows MS-RDP have been encrypted within the TLS tunnel for many years. Therefore layer 7 vulnerability signature 40021 is no longer possible to see MS-RDP handshake within TLS encrypted and no longer trigger.
  • Palo Alto Firewall does not yet support TLS decryption for MS-RDP. This is a limitation.

Resolution


The resolution provided below is a workaround:

A custom vulnerability signature using the custom signature field named "t_120-req-msrdp-negotiation-request" for customers to write their own MS-RDP brute force signatures which can be more accurate and eliminate the possibility of too many false positives.

To create a custom signature for MS-RDP brute force (a large amount of RDP connection attempts)
  1. Go to GUI: Objects > Custom Objects >Vulnerability.
  2. Add signature for detecting MS-RDP connection by clicking Add.
  3. On Configuration tab : enter Threat ID(example: 41001), Name(example: msrdp negotiation request detection), Severity(informational) and Direction(client2server).
  4. On Signatures tab : click Add, enter signature name(example: msrdp connection), click Add Or Condition, set Operator to "Equal To", set Context to "t_120-req-msrdp-negotiation-request", set Value to 1. Click OK.
  5. Commit.
  6. At the same page :
  7. Come back to the same page to add another signature. On Configuration tab enter Threat ID(example: 41002), Name(example: MS-RDP connection brute force detection), Severity(critical) and Direction(client2server).
  8. On the Signatures tab, choose Combination, on Combination Signatures tab, click Add And Condition, enter Threat ID in step 1(example: 41001), click OK. On the Time Attribute Tab, enter hit preference(example: Number of Hits 10 per 30 seconds). Select source as Aggregation Criteria.
  9. Once completed Commit the operation
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPRUCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail