ET SCAN MS Terminal Server Traffic on Non-standard Port
This alert is triggered when traffic associated with Microsoft Terminal Server (RDP) is detected on a non-standard port (any port other than 3389). Such activity could indicate an attempt to avoid standard RDP detection, possibly as part of reconnaissance or unauthorized access efforts.
ID Number
4000738
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET !3389 (msg:"ET SCAN MS Terminal Server Traffic on Non-standard Port"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|e0 00 00 00 00 00|"; offset:5; depth:6; content:"Cookie|3a| mstshash="; fast_pattern; classtype:attempted-recon; sid:4000738; rev:2; metadata:affected_product Microsoft_Terminal_Server_RDP, attack_target Server, deployment Perimeter, signature_severity Major, created_at 2017_01_23, performance_impact Low, updated_at 2017_02_23;)
Severity
High
Recommendations/Investigative actions
Restrict RDP access to the standard port (3389) or, if possible, block external RDP connections altogether to reduce exposure.
Check the internal device receiving the connection attempt for potential vulnerabilities or signs of unauthorized access.