Signature
alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"NF - Norwegian_Nynorsk layout in RDP connection setup"; flow:established; content:"|08 14 00 00|"; nocase; reference:url,networkforensic.dk; metadata:26092014; classtype:misc-activity; sid:5012028; rev:1;)
Recommendations/Investigative actions
Identify which internal device is initiating the RDP session to verify if it is authorized and expected.
Confirm whether the Norwegian Nynorsk layout is expected in your environment or if this is indicative of potentially suspicious activity.
Block unauthorized RDP traffic.
Relations to other alerts