NF – POLICY – Remote Desktop connection request on non-standard port
This alert is triggered when a Remote Desktop Protocol (RDP) connection is attempted from an external network to the internal network on a non-standard port (any port other than 3389). This may indicate an attempt to bypass standard RDP monitoring or restrictions.
ID Number
5024151
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"NF - POLICY - Remote Desktop connection request on non-standard port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; reference:url,networkforensic.dk; classtype:policy-violation; metadata:12112017; sid:5024151; rev:1;)
Severity
High
Recommendations/Investigative actions
Restrict RDP access to the standard port (3389) or, if possible, block external RDP connections altogether to reduce exposure.
Check the internal device receiving the connection attempt for potential vulnerabilities or signs of unauthorized access.