NF – VNC server response
This alert is triggered when a VNC (Virtual Network Computing) server response is detected, identified by the "RFB" (Remote Frame Buffer) protocol header. VNC connections can be used by a malicious actor for remote access.
ID Number
5013401
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"NF - VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; reference:url,networkforensic.dk; reference:url,doc.emergingthreats.net; metadata:11122018; classtype:misc-activity; sid:5013401; rev:1;)
Severity
High
Recommendations/Investigative actions
Identify the external server or internal device involved in the VNC communication to assess if it’s authorized.
Restrict or block VNC traffic, especially if remote desktop access is not permitted in the network policy.
Investigate the target device for unauthorized access or any potential security vulnerabilities.