Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
MS-RDP traffic not being detected as brute force signature 4002... - Knowledge Base - Palo Alto Networks

MS-RDP traffic not being detected as brute force signature 40021 as expected.

9132
Created On 04/03/20 01:32 AM - Last Modified 04/27/20 20:51 PM


Symptom


RDP brute force signature threat id 40021 not working.

Environment


  • Any PAN-OS
  • Palo Alto Firewall.
  • Threat Prevention for MS-RDP MS-RDP brute force attacks.

Cause


  • Most versions of Microsoft Windows MS-RDP have been encrypted within the TLS tunnel for many years. Therefore layer 7 vulnerability signature 40021 is no longer possible to see MS-RDP handshake within TLS encrypted and no longer trigger.
  • Palo Alto Firewall does not yet support TLS decryption for MS-RDP. This is a limitation.

Resolution


The resolution provided below is a workaround:

A custom vulnerability signature using the custom signature field named "t_120-req-msrdp-negotiation-request" for customers to write their own MS-RDP brute force signatures which can be more accurate and eliminate the possibility of too many false positives.

To create a custom signature for MS-RDP brute force (a large amount of RDP connection attempts)
  1. Go to GUI: Objects > Custom Objects >Vulnerability.
  2. Add signature for detecting MS-RDP connection by clicking Add.
  3. On Configuration tab : enter Threat ID(example: 41001), Name(example: msrdp negotiation request detection), Severity(informational) and Direction(client2server).
  4. On Signatures tab : click Add, enter signature name(example: msrdp connection), click Add Or Condition, set Operator to "Equal To", set Context to "t_120-req-msrdp-negotiation-request", set Value to 1. Click OK.
  5. Commit.
  6. At the same page :
  7. Come back to the same page to add another signature. On Configuration tab enter Threat ID(example: 41002), Name(example: MS-RDP connection brute force detection), Severity(critical) and Direction(client2server).
  8. On the Signatures tab, choose Combination, on Combination Signatures tab, click Add And Condition, enter Threat ID in step 1(example: 41001), click OK. On the Time Attribute Tab, enter hit preference(example: Number of Hits 10 per 30 seconds). Select source as Aggregation Criteria.
  9. Once completed Commit the operation
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,780
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPRUCA4&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail