NF – VNC server response
this Snort rule is designed to detect VNC server responses in TCP traffic from external networks to the internal network on any port. If the specified patterns are found within the payload of an established TCP connection, the rule triggers an alert. The rule is crafted to identify VNC server responses based on specific content patterns in the payload.
ID Number
5013401
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NF - VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; reference:url,networkforensic.dk; reference:url,doc.emergingthreats.net; metadata:11122018; classtype:misc-activity; sid:5013401; rev:1;)
MITRE ATT&CK Technique
-
Severity
medium
Recommendations/Investigative actions
Identify the source and destination, call the POC (Point of contact) to check If the communication is authorized - close the event. If it's not configured - need to search for additional suspicious indicators - can be an attempt to access remotely or perform data exfiltration.